Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

iptables dnat problem.
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
nova-ex
n00b
n00b


Joined: 12 Dec 2008
Posts: 3
PostPosted: Fri Dec 12, 2008 3:33 pm    Post subject: iptables dnat problem. Reply with quote
Hi. I've recently run into some problems with my iptables config and i can't seem to get dnat working. It was working fine for a very long time and then all of a sudden it stopped working. I am fairly certain that I didn't change anything but I can't be sure. In any case, can anyone see anything wrong with my configuration (as shown below) or point out what may be the problem? I don't see any logs showing a drop in port 6112 and the dnat just doesn't work. The port isn't forwarded.

Code:
# Generated by iptables-save v1.3.5 on Fri Dec 12 23:20:46 2008
*raw
:PREROUTING ACCEPT [1921125911:863802040574]
:OUTPUT ACCEPT [2114610962:1847337877625]
COMMIT
# Completed on Fri Dec 12 23:20:46 2008
# Generated by iptables-save v1.3.5 on Fri Dec 12 23:20:46 2008
*nat
:PREROUTING ACCEPT [1504572:103548889]
:POSTROUTING ACCEPT [74634:12662220]
:OUTPUT ACCEPT [2621244:169121721]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 6112:6119 -j DNAT --to-destination 192.168.0.102
-A PREROUTING -p tcp -m tcp --dport 34345:34354 -j DNAT --to-destination 192.168.0.104
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Fri Dec 12 23:20:46 2008
# Generated by iptables-save v1.3.5 on Fri Dec 12 23:20:46 2008
*mangle
:PREROUTING ACCEPT [341349312:150398540779]
:INPUT ACCEPT [316103889:132575323806]
:FORWARD ACCEPT [25190885:17821014962]
:OUTPUT ACCEPT [395005859:371873519680]
:POSTROUTING ACCEPT [420289716:389715518550]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
# Completed on Fri Dec 12 23:20:46 2008
# Generated by iptables-save v1.3.5 on Fri Dec 12 23:20:46 2008
*filter
:INPUT DROP [550751:59794382]
:FORWARD ACCEPT [25190885:17821014962]
:OUTPUT DROP [0:0]
:icmp_packets - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ! ppp0 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 15000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49150:49300 -j ACCEPT
-A INPUT -p icmp -j icmp_packets
-A INPUT -j LOG --log-prefix "IPTABLES-IN Default Drop: " --log-level 7
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 23 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 783 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 12000 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 15000 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2210 -j ACCEPT
-A OUTPUT -d 127.0.0.1 -j ACCEPT
-A OUTPUT -d 192.168.0.0/255.255.255.0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o ppp0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -j icmp_packets
-A OUTPUT -j LOG --log-prefix "IPTABLES-OUT Default Drop: " --log-level 7
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j ACCEPT
COMMIT
# Completed on Fri Dec 12 23:20:46 2008


Can anyone help me?
Back to top
View user's profile Send private message
Carnildo
Guru
Guru


Joined: 17 Jun 2004
Posts: 594
PostPosted: Sat Dec 13, 2008 12:08 am    Post subject: Re: iptables dnat problem. Reply with quote
nova-ex wrote:
Hi. I've recently run into some problems with my iptables config and i can't seem to get dnat working. It was working fine for a very long time and then all of a sudden it stopped working. I am fairly certain that I didn't change anything but I can't be sure. In any case, can anyone see anything wrong with my configuration (as shown below) or point out what may be the problem? I don't see any logs showing a drop in port 6112 and the dnat just doesn't work. The port isn't forwarded.

Code:
-A PREROUTING -i eth0 -p tcp -m tcp --dport 6112:6119 -j DNAT --to-destination 192.168.0.102
-A PREROUTING -p tcp -m tcp --dport 34345:34354 -j DNAT --to-destination 192.168.0.104


IP addresses in the 192.168.0.100-192.168.0.254 range are usually assigned by DHCP. Are you running DHCP on your home network, and if so, has the IP address of the computer you're trying to forward to changed?
Back to top
View user's profile Send private message
nova-ex
n00b
n00b


Joined: 12 Dec 2008
Posts: 3
PostPosted: Sat Dec 13, 2008 1:30 am    Post subject: Reply with quote
Yep. I'm running DHCP and it seems to be running properly. I've assigned a fixed ip address to this same PC by using the MAC address thing. So it's always the same IP address. I've also checked on the particular computer to make sure it's the correct IP address.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21631
PostPosted: Sat Dec 13, 2008 5:46 am    Post subject: Reply with quote
Your FORWARD chain is surprisingly open, but there is nothing obviously wrong for your current problem. Is the DNAT rule even matching the incoming traffic? What is the network topology? Have you confirmed with a packet sniffer, such as net-analyzer/tcpdump, that the traffic arrives on the external interface and never leaves on the internal interface?
Back to top
View user's profile Send private message
nova-ex
n00b
n00b


Joined: 12 Dec 2008
Posts: 3
PostPosted: Sun Dec 14, 2008 11:10 am    Post subject: Reply with quote
Hey, thanks for the help.

eth0 is connected to my adsl2+ modem which is connected in bridge mode and uses PPPoe to connect to the internet
eth1 is connected to my WRT54G which acts as a wireless AP.

My gentoo machine acts as a gateway, supposedly firewall (I will need your help later on securing that forward chain) and hosts my webserver and some other stuff (torrentflux heh).

I haven't had time to try out the tcpdump thing. I will in a while. But if you look at this output from iptables -L -n -v -x -t nat

Code:
Chain PREROUTING (policy ACCEPT 1598187 packets, 108409053 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpts:6112:6119 to:192.168.0.102
     191    12002 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:34345:34354 to:192.168.0.104

Chain POSTROUTING (policy ACCEPT 76016 packets, 12935180 bytes)
    pkts      bytes target     prot opt in     out     source               destination
 2791784 171371114 MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 2637290 packets, 170325290 bytes)
    pkts      bytes target     prot opt in     out     source               destination


It seems as if a number of packets have been forwarded tyo 192.168.0.104 for which the dnat is not working either. (I must not have tested the 6112 since i restarted) and yet nothing seems to be forwarding for the 34545 one. Any help there?

Thanks again!
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21631
PostPosted: Sun Dec 14, 2008 5:27 pm    Post subject: Reply with quote
If you want to show packet counters, iptables-save -c will show counters preceding each rule, in the iptables-save style. You say that eth0 is in bridged mode. Do you mean that you created a bridge using brctl? If so, the packets may have an input interface of br0, or whatever name you assigned to your bridge. Your failing rule is requesting an interface of eth0. Although not impossible, configuring a single system to bridge some traffic, route others, and NAT some of what is routed is more complex than a basic NAT setup.

Also, check that is the output of cat /proc/sys/net/ipv4/ip_forward is 1.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy