 |
|
|
|
Next: Accepted vdr-plugin-xineliboutput 1.0.4+cvs200910..
|
| Author |
Message |
External
Since: Oct 16, 2009
Posts: 4
|
(Msg. 1) Posted: Fri Oct 16, 2009 10:44 am
Post subject: Iptables PREROUTING Not All Working
Archived from groups: comp>os>linux>networking (more info?)
|
|
|
Hello Folks,
I have done this in the past but no longer have access to that server
and cannot find my docs on it.
In the following config I have had the .49 port forwarding working for
years and it still does. I am trying to forward ALL packets for .51 to
10.1.1.8 and it is not working. I cannot ping or http to .51 . If
iptables is off, I can ping .51 .
ifconfig:
eth0 Link encap:Ethernet HWaddr 00:90:47:05:32:26
inet addr:10.1.1.1 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: fe80::290:47ff:fe05:3226/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:309340 errors:0 dropped:0 overruns:0 frame:0
TX packets:508059 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:67946729 (64.7 MiB) TX bytes:547897019 (522.5 MiB)
Interrupt:17 Base address:0xc00
eth1 Link encap:Ethernet HWaddr 00:03:47:D5:E9:B4
inet addr:xxx.xx.xx.49 Bcast:xxx.xx.xxx.255
Mask:255.255.255.248
inet6 addr: fe80::203:47ff:fed5:e9b4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:540722 errors:0 dropped:0 overruns:0 frame:0
TX packets:345149 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:537085651 (512.2 MiB) TX bytes:74074388 (70.6 MiB)
eth1:1 Link encap:Ethernet HWaddr 00:03:47:D5:E9:B4
inet addr:xxx.xx.xxx.xx Bcast:xxx.xx.xxx.255
Mask:255.255.255.248
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:5986 errors:0 dropped:0 overruns:0 frame:0
TX packets:5986 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
And rc.firewall is:
echo " Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i xxx.xx.xx.51 -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o xxx.xx.xx.51 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 465 -j ACCEPT
echo " Dropping connections NMAP said were open"
$IPTABLES -A INPUT -p tcp --dport 139 -i eth1 -j DROP
#$IPTABLES -A INPUT -p tcp --dport 443 -i eth1 -j DROP
$IPTABLES -A INPUT -p tcp --dport printer -i eth1 -j DROP
$IPTABLES -A INPUT -p tcp --dport 3128 -i eth1 -j DROP
$IPTABLES -A INPUT -p tcp --dport 6000 -i eth1 -j DROP
$IPTABLES -A INPUT -p tcp --dport 10000 -i eth1 -j DROP
echo " Dropping outbound smtp from inside."
# Assume MTA on the gateway box, nothing from the LAN needs to contact
# the world on port 25 directly.
# Log packets trying to cross the interfaces.
$IPTABLES -A FORWARD -p tcp --dport 25 -j LOG
# Drop those packets
$IPTABLES -A FORWARD -p tcp --dport 25 -j DROP
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -o xxx.xx.xxx.51 -j MASQUERADE
echo " Enabling Terminal Services redirection."
$IPTABLES -t nat -A PREROUTING --dst xxx.xx.xx.49 -p tcp --dport 3389
-j DNAT --to-destination 10.1.1.98
echo " Enabling phone vpn redirection."
$IPTABLES -t nat -A PREROUTING -i $EXTIF --dst xxx.xx.xxx.51 -j DNAT
--to-destination 10.1.1.8
$IPTABLES -t nat -A POSTROUTING -s 10.1.1.8 -j SNAT -o eth1 --to-source
xxx.xx.xxx.51
echo -e "\nrc.firewall-2.2 v$FWVER done.\n"
I have tried various combinations and nothing seems to work for .51. As
you probably realize the .49 and .51 are
real addresses on the same subnet.
This is an old box running Fedora Core 6 so the version
of iptables may not be the same as a newer machine. It is runinng
kernel 2.6.22 from the Fedora update.
Any ideas?
Thanks,
Robert |
|
| Back to top |
|
 | |
External
Since: Apr 06, 2007
Posts: 99
|
(Msg. 2) Posted: Fri Oct 16, 2009 3:20 pm
Post subject: Re: Iptables PREROUTING Not All Working [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Hello,
Noboby a écrit :
>
> $IPTABLES -A FORWARD -i xxx.xx.xx.51 -o $INTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o xxx.xx.xx.51 -j ACCEPT
-o/-i take an interface name, not an address (nor an alias such as
eth1:1). Source/destination address matching is done with -s/-d. |
|
| Back to top |
|
| |
External
Since: Oct 16, 2009
Posts: 4
|
(Msg. 3) Posted: Tue Oct 20, 2009 8:32 am
Post subject: Re: Iptables PREROUTING Not All Working [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Pascal Hambourg wrote:
> Hello,
>
> Noboby a écrit :
>> $IPTABLES -A FORWARD -i xxx.xx.xx.51 -o $INTIF -m state --state
>> ESTABLISHED,RELATED -j ACCEPT
>> $IPTABLES -A FORWARD -i $INTIF -o xxx.xx.xx.51 -j ACCEPT
>
> -o/-i take an interface name, not an address (nor an alias such as
> eth1:1). Source/destination address matching is done with -s/-d.
I should have looked up the parameters.
Can I or should I use the virtual external address with -o or just use
-s with the virtual external address?
Thanks,
Robert:-) |
|
| Back to top |
|
| |
External
Since: Apr 06, 2007
Posts: 99
|
(Msg. 4) Posted: Tue Oct 20, 2009 11:20 am
Post subject: Re: Iptables PREROUTING Not All Working [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Noboby a écrit :
> Pascal Hambourg wrote:
>>
>> -o/-i take an interface name, not an address (nor an alias such as
>> eth1:1). Source/destination address matching is done with -s/-d.
>
> Can I or should I use the virtual external address with -o
What was not clear in "-o/-i take an interface name, not an address" ?
> or just use -s with the virtual external address?
I don't know. Probably not. What do you want to achieve ? Please post
the complete relevant rules. |
|
| Back to top |
|
| |
External
Since: Oct 16, 2009
Posts: 4
|
(Msg. 5) Posted: Thu Nov 05, 2009 4:05 pm
Post subject: Re: Iptables PREROUTING Not All Working [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Pascal Hambourg wrote:
> Noboby a écrit :
>> Pascal Hambourg wrote:
>>> -o/-i take an interface name, not an address (nor an alias such as
>>> eth1:1). Source/destination address matching is done with -s/-d.
>> Can I or should I use the virtual external address with -o
>
> What was not clear in "-o/-i take an interface name, not an address" ?
>
>> or just use -s with the virtual external address?
>
> I don't know. Probably not. What do you want to achieve ? Please post
> the complete relevant rules.
I even put in a better machine (old Dell server) and CentOS 5.3 and
still cannot make it work. Rules below:
______________________________________________________________________
echo " Dropping outbound smtp from inside."
# Assume MTA on the gateway box, nothing from the LAN needs to contact
# the world on port 25 directly.
# Log packets trying to cross the interfaces.
$IPTABLES -A FORWARD -p tcp --dport 25 -j LOG
# Drop those packets
$IPTABLES -A FORWARD -p tcp --dport 25 -j DROP
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -s xxx.xx.xx.50 -j MASQUERADE
echo " Enabling Terminal Services redirection."
$IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 --dst xxx.xx.xx.49
-j DNAT --to-destination 10.1.1.98
echo " Enabling phone vpn redirection."
$IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 --dst xxxx.xx.xx.50
-j DNAT --to-destination 10.1.1.112
$IPTABLES -t nat -A POSTROUTING -s 10.0.1.112 -j SNAT --to-destination
173.11.168.50
______________________________________________________________________
The 3389 to .49 works as it always has under various outside addresses.
..50 is on eth1:1 and is pingable without the PREROUTING rule. I suspect
the issue is POSTROUTING but cannot find anything that tells me the
right way to do this. I have tried variations of this including
different ports and all ports. Would prefer all ports for this
particular application. .112 is a test machine on the inside and I
would like ALL traffice to .50 to be redirected to .112 .
Thanks for looking at this,
Robert |
|
| Back to top |
|
| |
External
Since: Apr 06, 2007
Posts: 99
|
(Msg. 6) Posted: Thu Nov 05, 2009 5:20 pm
Post subject: Re: Iptables PREROUTING Not All Working [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Noboby a écrit :
>
> echo " Dropping outbound smtp from inside."
>
> # Assume MTA on the gateway box, nothing from the LAN needs to contact
> # the world on port 25 directly.
>
> # Log packets trying to cross the interfaces.
> $IPTABLES -A FORWARD -p tcp --dport 25 -j LOG
>
> # Drop those packets
> $IPTABLES -A FORWARD -p tcp --dport 25 -j DROP
>
> echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> #$IPTABLES -t nat -A POSTROUTING -s xxx.xx.xx.50 -j MASQUERADE
>
> echo " Enabling Terminal Services redirection."
>
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 --dst xxx.xx.xx.49
> -j DNAT --to-destination 10.1.1.98
>
> echo " Enabling phone vpn redirection."
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 --dst xxxx.xx.xx.50
> -j DNAT --to-destination 10.1.1.112
What kind of VPN uses TCP port 3389 ?
> $IPTABLES -t nat -A POSTROUTING -s 10.0.1.112 -j SNAT --to-destination
> 173.11.168.50
SNAT has no --to-destination option. What is the purpose of this rule ?
Shouldn't it be 10.1.1.112 instead of 10.0.1.112 ?
Is this the complete ruleset ?
> .50 is on eth1:1 and is pingable without the PREROUTING rule.
The PREROUTING rule matches only TCP, I don't see how it could make ping
(ICMP echo) fail.
> Would prefer all ports for this
> particular application. .112 is a test machine on the inside and I
> would like ALL traffice to .50 to be redirected to .112 .
Just remove "-p tcp --dport 3389" from the DNAT rule.
PS : This is not going anywhere. You just say "it does not work" but you
don't say *what* does not work and *how* it does not work, e.g. you
don't provide any packet trace. How do you expect any help ? |
|
| Back to top |
|
| |
External
Since: Oct 16, 2009
Posts: 4
|
(Msg. 7) Posted: Fri Nov 06, 2009 11:30 am
Post subject: Re: Iptables PREROUTING Not All Working [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Pascal Hambourg wrote:
> Noboby a écrit :
>> echo " Enabling phone vpn redirection."
>> $IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 --dst xxxx.xx.xx.50
>> -j DNAT --to-destination 10.1.1.112
>
> What kind of VPN uses TCP port 3389 ?
>
Since I could not reach the router on the inside, I tried reaching a
Windows machine. 3389, as you may know, is the port for Remote Desktop
on a Windows machine.
>> $IPTABLES -t nat -A POSTROUTING -s 10.0.1.112 -j SNAT --to-destination
>> 173.11.168.50
>
> SNAT has no --to-destination option. What is the purpose of this rule ?
> Shouldn't it be 10.1.1.112 instead of 10.0.1.112 ?
>
I read that a POSTROUTING rule was necessary. Yes, typo, should be
10.1.1.112,
> Is this the complete ruleset ?
No, I will post the complete after I make some of your suggestions.
>> .50 is on eth1:1 and is pingable without the PREROUTING rule.
>
> The PREROUTING rule matches only TCP, I don't see how it could make ping
> (ICMP echo) fail.
Good point, but it does. Perhaps in combination with another rule.
>> Would prefer all ports for this
>> particular application. .112 is a test machine on the inside and I
>> would like ALL traffice to .50 to be redirected to .112 .
>
> Just remove "-p tcp --dport 3389" from the DNAT rule.
I have tried that with no success.
>
> PS : This is not going anywhere. You just say "it does not work" but you
> don't say *what* does not work and *how* it does not work, e.g. you
> don't provide any packet trace. How do you expect any help ?
Sorry, I thought it would be obvious from my statements. As an example,
for the test 3389 port I should be able to connect to the Windows
machine at .112 with Remote Desktop from the outside using the .50 . I
cannot. Even after correcting the typo, I cannot.
Thanks very much for your help,
Robert |
|
| Back to top |
|
| |
External
Since: Apr 06, 2007
Posts: 99
|
(Msg. 8) Posted: Fri Nov 06, 2009 5:20 pm
Post subject: Re: Iptables PREROUTING Not All Working [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Noboby a écrit :
> Pascal Hambourg wrote:
>> Noboby a écrit :
>
>>> echo " Enabling phone vpn redirection."
>>> $IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 --dst xxxx.xx.xx.50
>>> -j DNAT --to-destination 10.1.1.112
>> What kind of VPN uses TCP port 3389 ?
>
> Since I could not reach the router on the inside,
What router on the inside ?
> I tried reaching a
> Windows machine. 3389, as you may know, is the port for Remote Desktop
> on a Windows machine.
Ok.
>>> $IPTABLES -t nat -A POSTROUTING -s 10.0.1.112 -j SNAT --to-destination
>>> 173.11.168.50
>>
>> SNAT has no --to-destination option. What is the purpose of this rule ?
>> Shouldn't it be 10.1.1.112 instead of 10.0.1.112 ?
>
> I read that a POSTROUTING rule was necessary.
Not for a redirection (DNAT). It affects only outgoing connections, not
incoming connections.
> Yes, typo, should be 10.1.1.112,
And --to-destination should be --to-source.
>> The PREROUTING rule matches only TCP, I don't see how it could make ping
>> (ICMP echo) fail.
>
> Good point, but it does. Perhaps in combination with another rule.
No, it doesn't. A rule with "-p tcp" cannot affect ICMP packets.
> Sorry, I thought it would be obvious from my statements. As an example,
> for the test 3389 port I should be able to connect to the Windows
> machine at .112 with Remote Desktop from the outside using the .50 . I
> cannot. Even after correcting the typo, I cannot.
Connect to the Windows box with RDP involves more than the DNAT rule :
- the DNATed packets in states NEW,ESTABLISHED must be accepted in the
FORWARD chain
- the Windows box firewall must accept the packets
- the Windows box must run the RDP service
- the Windows box must have a route back to the source through the Linux
box (default gateway)
- the return packets from the Windows box in state ESTABLISHED must be
accepted in the FORWARD chain
I suggest you use packet capture on each interface of the Linux and the
Windows boxes on the path to check whether the packets are transmitted
as expected. You can also insert LOG rules to log these packets through
the iptables chains. |
|
| Back to top |
|
| |
|
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Search
Profile
Private Messages
Log in
Linux