Firewall and IP Tables

[Guest_imported]

Hi I'm having some trouble w/ getting iptables to work on Redhat 7.2
2.4.2-2 kernel, iptables-1.2.1a-1

I'm doing something very simple, just trying to get it to forward port 80
to an inside Ip (10.0.0.55)
from an outside ip. I scripted my setup below, and I can't see anything
wrong, I copied the iptables command
directly from the NAT 2.4 kernel HOWTO. Any ideas? I've been dealing w/
this problem for a month and have totally run into a wall.
thanks,
didget


Script started on Sun Dec 2 16:06:09 2001
[root@localhost bin]# lsmod
Module Size Used by
ipt_LOG 3856 0 (unused)
ip_conntrack_ftp 2448 0 (unused)
iptable_filter 2240 0 (autoclean) (unused)
iptable_nat 15968 0 (autoclean) (unused)
ip_conntrack 15824 2 (autoclean) [ip_conntrack_ftp
iptable_nat]
ip_tables 11488 5 [ipt_LOG iptable_filter iptable_nat]
autofs 11136 1 (autoclean)
3c59x 25312 2 (autoclean)
[root@localhost bin]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost bin]# iptables -t -nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@localhost bin]# iptables -t nat -A PREROUTING -p tcp --dport 80 -i
eth0 -j DNAT --to 10.0.0.55:80
[root@localhost bin]# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:http
to:10.0.0.55:80

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

 

[ifincham]

Hi,

The iptables code looks OK to me .. A few things occur you might like to check :

1) Did you allow IP forwarding by setting the appropriate variable in the /proc filesystem ? I.e. -->

echo 1 > /proc/sys/net/ipv4/ip_forward

(By default the system will not 'forward' any packets, i.e. where neither the source or destination are the linux box itself)

2) Can you actually ping that address successfully from the linux box ?

3) Is there any firewalling going on at the http server (10.0.0.55) itself ?

4) Is eth0 your internet interface ? Sometimes people get confused between -i and -o .

Hope this helps

 

[gameover]

ONLY REDHAT

In /etc/sysconfig/network, is there a line such as:

FORWARD_IPV4=true

This is needed in addition to ifincham's idea number 1.

 

[didget]

Well, I've tried both suggestions and still nothing. I also know it has to be with iptables because I can view a webpage on 10.0.0.55 with lynx.
Any other ideas? Is ipchains easier?

 

[ifincham]

Hi,





Ipchains is not really any easier - in fact its more complex on the forwarding side of things. In ipchains something forwarded actually traverses three rulesets, i.e. input, forward, output. Iptables forwarding only requires coding the 'forward' chain.





When you say you can view a page on 10.0.0.55 with lynx where is that from - the iptables host or outside ?





You could try some tests in case your ISP is blocking inbound http or port 80 .





Run an apache test page on the linux box on port 80 and see if that is accessible externally (turn off nat first). If so, change apache so that it only listens on another port (e.g. port 8080) by editing the 'Listen 80' in httpd.conf. Turn the rule back on but set the destination as your own box's IP address and port 8080. If you can still access the server on 8080 from outside without explicily stating the port (i.e. via default port 80) then that should prove whether the actual nat is taking place. If it all seems to work but the port 80 forwarding to 10.0.0.55 still doesn't seem to operate correctly you could try forwarding to other IP services on that box, e.g. ftp or telnet to see if there is a particular issue with http. What web server is at 10.0.0.55 ? Apache, IIS ??





Hope this helps

 

[marsd]

The point that is mostly missed here, is the one that IF
mentioned earlier. Where is the redirected traffic coming
from? Where is it seen first?
Assuming that the gateway machine has a dial up link for
inet access the line would read something like:
iptables -t nat -A PREROUTING -s 0/0 -p tcp --dport 80 -i ppp0 -j DNAT --to addressort

With your FW ruleset there is no reason for this not
to work unless there is external filtering, internal
filtering or some misconfiguration.
You may want to set up a logging chain for this traffic just to see what happens to traffic that matches.

iptables -N LOGME
iptables -A LOGME -s 0/0 -p tcp --dport 80 -i eth0 -j LOG
iptables -A LOGME -s 0/0 -p tcp --dport 80 -i eth0 -j RETURN

Also you may want to take a look at the man page for iptables again and add an identical DNAT rule for your nat OUTPUT chain.

 

[didget]

Ok, I tried ifincham's suggestions and setup apache on the firewall first with port 80, and the page was viewable, then I changed it to port 8080. Ports 80 and 8080 showed the apache test page correctly. Then when I reinstated the nat rule as I said in the first post, port 80 gets a 404 even though my local testpage works fine from the firewall and port 8080 still shows the testpage I setup on the firewall.

I am running apache on a windows 2k box locally.

For the questions of my traffic setup, I have two interfaces, eth0 and eth1. eth0 is an outside ip, always connected and eth1 has an inside ip. I also tried the rule marsd wrote replacing ppp0 w/ eth0 and still nothing.

The logging brings me to another question, to me it seems almost as complex as creating the rules. Should I see everything in /var/log/messages?

 

[marsd]

This might be worth a try:

ext_int="eth0"
int_int="eth1"
local_net="10.0.0.0/24"
ext_net="! $local_net"
http_server="ip address of win2k"


iptables -F

iptables -P (all ACCEPT for now:all chains)

iptables -N LOG_IT
iptables -A LOG_IT -s $ext_net -d $ext_int -p tcp --dport 80 -j LOG --log-prefix INCOMING_HTTP_EXT
iptables -A LOG_IT -s $ext_int -d $http_server -p tcp --dport 80 -j LOG --log-prefix LINUX_GATE_TRAF
iptables -A LOG_IT -s $ext_net -d $ext_int -p tcp --dport 80 -j RETURN

#now your input rule
iptables -A INPUT -s $ext_net -d $ext_int -p tcp --dport 80 -j LOG_IT

#now nat rules
iptables -A -t nat PREROUTING -s $ext_net -d $ext_int -p tcp --dport 80 -j LOG_IT
iptables -A -t nat PREROUTING -s $ext_net -d $ext_int -p tcp --dport 80 -j DNAT --to-destination $http_server:80

#this is just for locally created(linux gateway)traffic.
iptables -A -t nat OUTPUT -d $http_server -p tcp --dport 80 -j LOG_IT

That should give you some logging of the problem:
(you could just run tcpdump, which I suggest any way-
run for external and internal interfaces)

If there are syntax errors : sue me, it's for free;-)

 

[marsd]

Oops: ip addresses instead of interface names: that was the whole idea after all...

 

[didget]

dough!, I tried it, but still nuthin. I've been dealing w/ this issue for two months, I'm totally frustrated.

thanks,
tk

 

[marsd]

The point of the exercise was to see if the traffic
was being directed to the internal machine and
whether traffic was being masqueraded.
Could you verify that from the logging? Did you use
ip addresses instead of interface names?
Did you run tcpdump?
Give some details please.