 |
|
| Linux Forum Index » Linux Networking » Iptables PREROUTING Not All Working... |
|
Page 1 of 1 |
|
| Author |
Message |
| Noboby... |
 Posted: Fri Oct 16, 2009 9:44 am |
|
|
|
Guest
|
Hello Folks,
I have done this in the past but no longer have access to that server
and cannot find my docs on it.
In the following config I have had the .49 port forwarding working for
years and it still does. I am trying to forward ALL packets for .51 to
10.1.1.8 and it is not working. I cannot ping or http to .51 . If
iptables is off, I can ping .51 .
ifconfig:
eth0 Link encap:Ethernet HWaddr 00:90:47:05:32:26
inet addr:10.1.1.1 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::290:47ff:fe05:3226/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:309340 errors:0 dropped:0 overruns:0 frame:0
TX packets:508059 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:67946729 (64.7 MiB) TX bytes:547897019 (522.5 MiB)
Interrupt:17 Base address:0xc00
eth1 Link encap:Ethernet HWaddr 00:03:47:D5:E9:B4
inet addr:xxx.xx.xx.49 Bcast:xxx.xx.xxx.255
Mask:255.255.255.248
inet6 addr: fe80::203:47ff:fed5:e9b4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:540722 errors:0 dropped:0 overruns:0 frame:0
TX packets:345149 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:537085651 (512.2 MiB) TX bytes:74074388 (70.6 MiB)
eth1:1 Link encap:Ethernet HWaddr 00:03:47:D5:E9:B4
inet addr:xxx.xx.xxx.xx Bcast:xxx.xx.xxx.255
Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5986 errors:0 dropped:0 overruns:0 frame:0
TX packets:5986 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
And rc.firewall is:
echo " Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i xxx.xx.xx.51 -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o xxx.xx.xx.51 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 465 -j ACCEPT
echo " Dropping connections NMAP said were open"
$IPTABLES -A INPUT -p tcp --dport 139 -i eth1 -j DROP
#$IPTABLES -A INPUT -p tcp --dport 443 -i eth1 -j DROP
$IPTABLES -A INPUT -p tcp --dport printer -i eth1 -j DROP
$IPTABLES -A INPUT -p tcp --dport 3128 -i eth1 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6000 -i eth1 -j DROP
$IPTABLES -A INPUT -p tcp --dport 10000 -i eth1 -j DROP
echo " Dropping outbound smtp from inside."
# Assume MTA on the gateway box, nothing from the LAN needs to contact
# the world on port 25 directly.
# Log packets trying to cross the interfaces.
$IPTABLES -A FORWARD -p tcp --dport 25 -j LOG
# Drop those packets
$IPTABLES -A FORWARD -p tcp --dport 25 -j DROP
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -o xxx.xx.xxx.51 -j MASQUERADE
echo " Enabling Terminal Services redirection."
$IPTABLES -t nat -A PREROUTING --dst xxx.xx.xx.49 -p tcp --dport 3389
-j DNAT --to-destination 10.1.1.98
echo " Enabling phone vpn redirection."
$IPTABLES -t nat -A PREROUTING -i $EXTIF --dst xxx.xx.xxx.51 -j DNAT
--to-destination 10.1.1.8
$IPTABLES -t nat -A POSTROUTING -s 10.1.1.8 -j SNAT -o eth1 --to-source
xxx.xx.xxx.51
echo -e "\nrc.firewall-2.2 v$FWVER done.\n"
I have tried various combinations and nothing seems to work for .51. As
you probably realize the .49 and .51 are
real addresses on the same subnet.
This is an old box running Fedora Core 6 so the version
of iptables may not be the same as a newer machine. It is runinng
kernel 2.6.22 from the Fedora update.
Any ideas?
Thanks,
Robert |
|
|
| Back to top |
|
|
|
| Pascal Hambourg... |
| Posted: Fri Oct 16, 2009 2:19 pm |
|
|
|
Guest
|
Hello,
Noboby a écrit :
Quote:
$IPTABLES -A FORWARD -i xxx.xx.xx.51 -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o xxx.xx.xx.51 -j ACCEPT
-o/-i take an interface name, not an address (nor an alias such as
eth1:1). Source/destination address matching is done with -s/-d. |
|
|
| Back to top |
|
|
|
| Noboby... |
| Posted: Tue Oct 20, 2009 7:32 am |
|
|
|
Guest
|
Pascal Hambourg wrote:
Quote: Hello,
Noboby a écrit :
$IPTABLES -A FORWARD -i xxx.xx.xx.51 -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o xxx.xx.xx.51 -j ACCEPT
-o/-i take an interface name, not an address (nor an alias such as
eth1:1). Source/destination address matching is done with -s/-d.
I should have looked up the parameters.
Can I or should I use the virtual external address with -o or just use
-s with the virtual external address?
Thanks,
Robert:-) |
|
|
| Back to top |
|
|
|
| Pascal Hambourg... |
| Posted: Tue Oct 20, 2009 9:49 am |
|
|
|
Guest
|
Noboby a écrit :
Quote: Pascal Hambourg wrote:
-o/-i take an interface name, not an address (nor an alias such as
eth1:1). Source/destination address matching is done with -s/-d.
Can I or should I use the virtual external address with -o
What was not clear in "-o/-i take an interface name, not an address" ?
Quote: or just use -s with the virtual external address?
I don't know. Probably not. What do you want to achieve ? Please post
the complete relevant rules. |
|
|
| Back to top |
|
|
|
| Noboby... |
| Posted: Thu Nov 05, 2009 5:05 pm |
|
|
|
Guest
|
Pascal Hambourg wrote:
Quote: Noboby a écrit :
Pascal Hambourg wrote:
-o/-i take an interface name, not an address (nor an alias such as
eth1:1). Source/destination address matching is done with -s/-d.
Can I or should I use the virtual external address with -o
What was not clear in "-o/-i take an interface name, not an address" ?
or just use -s with the virtual external address?
I don't know. Probably not. What do you want to achieve ? Please post
the complete relevant rules.
I even put in a better machine (old Dell server) and CentOS 5.3 and
still cannot make it work. Rules below:
______________________________________________________________________
echo " Dropping outbound smtp from inside."
# Assume MTA on the gateway box, nothing from the LAN needs to contact
# the world on port 25 directly.
# Log packets trying to cross the interfaces.
$IPTABLES -A FORWARD -p tcp --dport 25 -j LOG
# Drop those packets
$IPTABLES -A FORWARD -p tcp --dport 25 -j DROP
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -s xxx.xx.xx.50 -j MASQUERADE
echo " Enabling Terminal Services redirection."
$IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 --dst xxx.xx.xx.49
-j DNAT --to-destination 10.1.1.98
echo " Enabling phone vpn redirection."
$IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 --dst xxxx.xx.xx.50
-j DNAT --to-destination 10.1.1.112
$IPTABLES -t nat -A POSTROUTING -s 10.0.1.112 -j SNAT --to-destination
173.11.168.50
______________________________________________________________________
The 3389 to .49 works as it always has under various outside addresses.
..50 is on eth1:1 and is pingable without the PREROUTING rule. I suspect
the issue is POSTROUTING but cannot find anything that tells me the
right way to do this. I have tried variations of this including
different ports and all ports. Would prefer all ports for this
particular application. .112 is a test machine on the inside and I
would like ALL traffice to .50 to be redirected to .112 .
Thanks for looking at this,
Robert |
|
|
| Back to top |
|
|
|
| Pascal Hambourg... |
| Posted: Thu Nov 05, 2009 6:00 pm |
|
|
|
Guest
|
Noboby a écrit :
Quote:
echo " Dropping outbound smtp from inside."
# Assume MTA on the gateway box, nothing from the LAN needs to contact
# the world on port 25 directly.
# Log packets trying to cross the interfaces.
$IPTABLES -A FORWARD -p tcp --dport 25 -j LOG
# Drop those packets
$IPTABLES -A FORWARD -p tcp --dport 25 -j DROP
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -s xxx.xx.xx.50 -j MASQUERADE
echo " Enabling Terminal Services redirection."
$IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 --dst xxx.xx.xx.49
-j DNAT --to-destination 10.1.1.98
echo " Enabling phone vpn redirection."
$IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 --dst xxxx.xx.xx.50
-j DNAT --to-destination 10.1.1.112
What kind of VPN uses TCP port 3389 ?
Quote: $IPTABLES -t nat -A POSTROUTING -s 10.0.1.112 -j SNAT --to-destination
173.11.168.50
SNAT has no --to-destination option. What is the purpose of this rule ?
Shouldn't it be 10.1.1.112 instead of 10.0.1.112 ?
Is this the complete ruleset ?
Quote: .50 is on eth1:1 and is pingable without the PREROUTING rule.
The PREROUTING rule matches only TCP, I don't see how it could make ping
(ICMP echo) fail.
Quote: Would prefer all ports for this
particular application. .112 is a test machine on the inside and I
would like ALL traffice to .50 to be redirected to .112 .
Just remove "-p tcp --dport 3389" from the DNAT rule.
PS : This is not going anywhere. You just say "it does not work" but you
don't say *what* does not work and *how* it does not work, e.g. you
don't provide any packet trace. How do you expect any help ? |
|
|
| Back to top |
|
|
|
| Noboby... |
| Posted: Fri Nov 06, 2009 12:30 pm |
|
|
|
Guest
|
Pascal Hambourg wrote:
Quote: Noboby a écrit :
echo " Enabling phone vpn redirection."
$IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 --dst xxxx.xx.xx.50
-j DNAT --to-destination 10.1.1.112
What kind of VPN uses TCP port 3389 ?
Since I could not reach the router on the inside, I tried reaching a
Windows machine. 3389, as you may know, is the port for Remote Desktop
on a Windows machine.
Quote: $IPTABLES -t nat -A POSTROUTING -s 10.0.1.112 -j SNAT --to-destination
173.11.168.50
SNAT has no --to-destination option. What is the purpose of this rule ?
Shouldn't it be 10.1.1.112 instead of 10.0.1.112 ?
I read that a POSTROUTING rule was necessary. Yes, typo, should be
10.1.1.112,
Quote: Is this the complete ruleset ?
No, I will post the complete after I make some of your suggestions.
Quote: .50 is on eth1:1 and is pingable without the PREROUTING rule.
The PREROUTING rule matches only TCP, I don't see how it could make ping
(ICMP echo) fail.
Good point, but it does. Perhaps in combination with another rule.
Quote: Would prefer all ports for this
particular application. .112 is a test machine on the inside and I
would like ALL traffice to .50 to be redirected to .112 .
Just remove "-p tcp --dport 3389" from the DNAT rule.
I have tried that with no success.
Quote:
PS : This is not going anywhere. You just say "it does not work" but you
don't say *what* does not work and *how* it does not work, e.g. you
don't provide any packet trace. How do you expect any help ?
Sorry, I thought it would be obvious from my statements. As an example,
for the test 3389 port I should be able to connect to the Windows
machine at .112 with Remote Desktop from the outside using the .50 . I
cannot. Even after correcting the typo, I cannot.
Thanks very much for your help,
Robert |
|
|
| Back to top |
|
|
|
| Pascal Hambourg... |
| Posted: Fri Nov 06, 2009 4:53 pm |
|
|
|
Guest
|
Noboby a écrit :
Quote: Pascal Hambourg wrote:
Noboby a écrit :
echo " Enabling phone vpn redirection."
$IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 --dst xxxx.xx.xx.50
-j DNAT --to-destination 10.1.1.112
What kind of VPN uses TCP port 3389 ?
Since I could not reach the router on the inside,
What router on the inside ?
Quote: I tried reaching a
Windows machine. 3389, as you may know, is the port for Remote Desktop
on a Windows machine.
Ok.
Quote: $IPTABLES -t nat -A POSTROUTING -s 10.0.1.112 -j SNAT --to-destination
173.11.168.50
SNAT has no --to-destination option. What is the purpose of this rule ?
Shouldn't it be 10.1.1.112 instead of 10.0.1.112 ?
I read that a POSTROUTING rule was necessary.
Not for a redirection (DNAT). It affects only outgoing connections, not
incoming connections.
Quote: Yes, typo, should be 10.1.1.112,
And --to-destination should be --to-source.
Quote: The PREROUTING rule matches only TCP, I don't see how it could make ping
(ICMP echo) fail.
Good point, but it does. Perhaps in combination with another rule.
No, it doesn't. A rule with "-p tcp" cannot affect ICMP packets.
Quote: Sorry, I thought it would be obvious from my statements. As an example,
for the test 3389 port I should be able to connect to the Windows
machine at .112 with Remote Desktop from the outside using the .50 . I
cannot. Even after correcting the typo, I cannot.
Connect to the Windows box with RDP involves more than the DNAT rule :
- the DNATed packets in states NEW,ESTABLISHED must be accepted in the
FORWARD chain
- the Windows box firewall must accept the packets
- the Windows box must run the RDP service
- the Windows box must have a route back to the source through the Linux
box (default gateway)
- the return packets from the Windows box in state ESTABLISHED must be
accepted in the FORWARD chain
I suggest you use packet capture on each interface of the Linux and the
Windows boxes on the path to check whether the packets are transmitted
as expected. You can also insert LOG rules to log these packets through
the iptables chains. |
|
|
| Back to top |
|
|
|
|
|
All times are GMT - 5 Hours
The time now is Fri Dec 11, 2009 8:44 pm
|
|