View previous topic :: View next topic |
Author |
Message |
nova-ex n00b
Joined: 12 Dec 2008 Posts: 3
|
Posted: Fri Dec 12, 2008 3:33 pm Post subject: iptables dnat problem. |
|
|
Hi. I've recently run into some problems with my iptables config and i can't seem to get dnat working. It was working fine for a very long time and then all of a sudden it stopped working. I am fairly certain that I didn't change anything but I can't be sure. In any case, can anyone see anything wrong with my configuration (as shown below) or point out what may be the problem? I don't see any logs showing a drop in port 6112 and the dnat just doesn't work. The port isn't forwarded.
Code: | # Generated by iptables-save v1.3.5 on Fri Dec 12 23:20:46 2008
*raw
:PREROUTING ACCEPT [1921125911:863802040574]
:OUTPUT ACCEPT [2114610962:1847337877625]
COMMIT
# Completed on Fri Dec 12 23:20:46 2008
# Generated by iptables-save v1.3.5 on Fri Dec 12 23:20:46 2008
*nat
:PREROUTING ACCEPT [1504572:103548889]
:POSTROUTING ACCEPT [74634:12662220]
:OUTPUT ACCEPT [2621244:169121721]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 6112:6119 -j DNAT --to-destination 192.168.0.102
-A PREROUTING -p tcp -m tcp --dport 34345:34354 -j DNAT --to-destination 192.168.0.104
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Fri Dec 12 23:20:46 2008
# Generated by iptables-save v1.3.5 on Fri Dec 12 23:20:46 2008
*mangle
:PREROUTING ACCEPT [341349312:150398540779]
:INPUT ACCEPT [316103889:132575323806]
:FORWARD ACCEPT [25190885:17821014962]
:OUTPUT ACCEPT [395005859:371873519680]
:POSTROUTING ACCEPT [420289716:389715518550]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
# Completed on Fri Dec 12 23:20:46 2008
# Generated by iptables-save v1.3.5 on Fri Dec 12 23:20:46 2008
*filter
:INPUT DROP [550751:59794382]
:FORWARD ACCEPT [25190885:17821014962]
:OUTPUT DROP [0:0]
:icmp_packets - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ! ppp0 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 15000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49150:49300 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -j LOG --log-prefix "IPTABLES-IN Default Drop: " --log-level 7
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 12000 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 15000 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2210 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -d 192.168.0.0/255.255.255.0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o ppp0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -j LOG --log-prefix "IPTABLES-OUT Default Drop: " --log-level 7
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
COMMIT
# Completed on Fri Dec 12 23:20:46 2008
|
Can anyone help me? |
|
Back to top |
|
|
Carnildo Guru
Joined: 17 Jun 2004 Posts: 594
|
Posted: Sat Dec 13, 2008 12:08 am Post subject: Re: iptables dnat problem. |
|
|
nova-ex wrote: | Hi. I've recently run into some problems with my iptables config and i can't seem to get dnat working. It was working fine for a very long time and then all of a sudden it stopped working. I am fairly certain that I didn't change anything but I can't be sure. In any case, can anyone see anything wrong with my configuration (as shown below) or point out what may be the problem? I don't see any logs showing a drop in port 6112 and the dnat just doesn't work. The port isn't forwarded.
Code: | -A PREROUTING -i eth0 -p tcp -m tcp --dport 6112:6119 -j DNAT --to-destination 192.168.0.102
-A PREROUTING -p tcp -m tcp --dport 34345:34354 -j DNAT --to-destination 192.168.0.104
|
|
IP addresses in the 192.168.0.100-192.168.0.254 range are usually assigned by DHCP. Are you running DHCP on your home network, and if so, has the IP address of the computer you're trying to forward to changed? |
|
Back to top |
|
|
nova-ex n00b
Joined: 12 Dec 2008 Posts: 3
|
Posted: Sat Dec 13, 2008 1:30 am Post subject: |
|
|
Yep. I'm running DHCP and it seems to be running properly. I've assigned a fixed ip address to this same PC by using the MAC address thing. So it's always the same IP address. I've also checked on the particular computer to make sure it's the correct IP address. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Sat Dec 13, 2008 5:46 am Post subject: |
|
|
Your FORWARD chain is surprisingly open, but there is nothing obviously wrong for your current problem. Is the DNAT rule even matching the incoming traffic? What is the network topology? Have you confirmed with a packet sniffer, such as net-analyzer/tcpdump, that the traffic arrives on the external interface and never leaves on the internal interface? |
|
Back to top |
|
|
nova-ex n00b
Joined: 12 Dec 2008 Posts: 3
|
Posted: Sun Dec 14, 2008 11:10 am Post subject: |
|
|
Hey, thanks for the help.
eth0 is connected to my adsl2+ modem which is connected in bridge mode and uses PPPoe to connect to the internet
eth1 is connected to my WRT54G which acts as a wireless AP.
My gentoo machine acts as a gateway, supposedly firewall (I will need your help later on securing that forward chain) and hosts my webserver and some other stuff (torrentflux heh).
I haven't had time to try out the tcpdump thing. I will in a while. But if you look at this output from iptables -L -n -v -x -t nat
Code: | Chain PREROUTING (policy ACCEPT 1598187 packets, 108409053 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:6112:6119 to:192.168.0.102
191 12002 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:34345:34354 to:192.168.0.104
Chain POSTROUTING (policy ACCEPT 76016 packets, 12935180 bytes)
pkts bytes target prot opt in out source destination
2791784 171371114 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 2637290 packets, 170325290 bytes)
pkts bytes target prot opt in out source destination |
It seems as if a number of packets have been forwarded tyo 192.168.0.104 for which the dnat is not working either. (I must not have tested the 6112 since i restarted) and yet nothing seems to be forwarding for the 34545 one. Any help there?
Thanks again! |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21631
|
Posted: Sun Dec 14, 2008 5:27 pm Post subject: |
|
|
If you want to show packet counters, iptables-save -c will show counters preceding each rule, in the iptables-save style. You say that eth0 is in bridged mode. Do you mean that you created a bridge using brctl? If so, the packets may have an input interface of br0, or whatever name you assigned to your bridge. Your failing rule is requesting an interface of eth0. Although not impossible, configuring a single system to bridge some traffic, route others, and NAT some of what is routed is more complex than a basic NAT setup.
Also, check that is the output of cat /proc/sys/net/ipv4/ip_forward is 1. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|