Port Forwarding using IPTABLES 4

[RiezalR]

I am trying to get port forwading to work on my Linux box using IPTables. There is a variety of sample rulesets available on the Internet, but they dont seem to be able to work for me. Is there anyone here familiar with IPTables?

I want remote requests to my Linux server at port 8080, to be forwarded to an internal machine at 192.168.1.3 port 8080. How do i go about doing this?

 

[RiezalR]

Ok, im getting fed up with this. All the rules given to me seem to be correct. It somehow wont work for me. I've tried changing various variables and it still wont forward the requests. Please take a look at the files below:

http://c0dex.no-p.org/firewall.txt

<- rc.firewall script

http://c0dex.no-ip.org/iptables

<- iptables -L

http://c0dex.no-ip.org/iptablesNAT.txt

<- iptables -t nat -L -n

I'm just wondering, would this line in my firewall script cause the problem:
$IPTABLES -P FORWARD DROP

marsd,
i tried to put in the logging chain you posted, it seemed to have an error: &quot;Chain already exists&quot;. When i try to telnet my external IP at port 8080, it says connection refused.

Please take a look at those links above and tell me where I went wrong. Thanks in advance.

 

[RiezalR]

Now i tried something different, i removed all of the rules posted here and i used this one:

iptables -t nat -A PREROUTING --dst $EXT_IP -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.3:80

$EXT_IP being my static IP. And amazingly, this works. The difference between the other rules was i didnt use the argument -i $EXTIF ($EXTIF being my ppp0). Can anyone explain why this works compared to the other rules?

However using this rule, I cannot access this site from my internal network. Lets say i used my WindowsXP (which is the internal webserver itself) to access

http://c0dex.no-ip.org:8080

the page wont come up. No access. I'm thinking its a routing problem.

 

[RiezalR]

Oops.. i meant $EXT_IP being my DYNAMIC IP. Now i have to figure out a way to enable the script to fetch my dynamic IP automatically, so i dont have to manually put in my dynamic IP everytime it changes.

 

[marsd]

Use the -i flag to specify which interface to nat traffic
so your access is transparent, that way you don't have to worry about dynamic addresses inside and out.

iptables -t nat -A PREROUTING --dst $EXT_IP -i $EXTERNAL -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.3:80

Where $EXTERNAL is your internet connected device name..
i.e eth1.

 

[RiezalR]

I'm trying to extract my dynamic IP from ifconfig with this script:

EXT_IP=&quot;`ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e &quot;s/addr\://&quot;`&quot;

I got this off the Internet and it does output the current IP i have. But i am not too sure if this would work for my firewall script. During boot time, my firewall script will be executed. It is only when i login as root and run 'adsl-start' that ppp0 will be up and running with an IP address. Would this script do the job? I have read that there is a script called 'ip-up'. Any ideas?

 

[biker1]

cod3x -

Can you bring your network interface up during boot time (invoke 'adsl-start') before the firewall script runs?

Just a quick thought.


Biker
Systems/Network Administrator
LiveFire Labs - Online UNIX and Linux Training with
Hands-on Lab Exercises

http://www.LiveFireLabs.com

 

[RiezalR]

Biker1,
Well i did think of that, but i didn't think it was possible. I thought that we needed to at least login into the system before we can dial a connection. If this is actually possible, do let me know which scripts should i be editing. At that same time i shall look this up. Thanks for the idea. You guys have been great help.

 

[payne4hirenow]

I'm having a similar problem to this guy/girl. I'm using static nat to forward requests to on of my external IPs to an internal IP running a web server (windows 2k). I'm using Shorewall (great product) to configure iptables.

The requests do get forwarded to the windows machine, but the responses don't get returned to the remote client. I've used WinDump to dump the ip traffic going to and from port 80 and see that the requests make it to the web server and that responses are sent back.

Here is the wierd part. The remote client usually doesn't get the response. I've managed to get only one lynx client to get a response back from the web server. Any other client doesn't get anything back or errors out with a network read error.

I have another ip forwarding to a linux machine on port 80 and it works fine. The configuration is exactly the same for the two nat rules. I tried it with two different windows machines with the same results.

This is the tcpdump output when trying to access the windows machine (unsuccessfully) with each packet on a seperate line:

tcpdump: listening on eth1

19:30:59.285448 u-08.39250 > 192.168.0.51.http: S [tcp sum ok] 162777574:162777574(0) win 5840 <mss 1460,sackOK,timestamp 130763556 0,nop,wscale 0> (DF) (ttl 46, id 33474, len 60)

19:30:59.285643 192.168.0.51.http > u-08.39250: S [tcp sum ok] 2284289472:2284289472(0) ack 162777575 win 64240 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF) (ttl 128, id 11749, len 64)

19:30:59.323841 u-08.39250 > 192.168.0.51.http: . [tcp sum ok] 1:1(0) ack 1 win 5840 <nop,nop,timestamp 130763560 0> (DF) (ttl 46, id 33475, len 52)

19:30:59.324397 192.168.0.51.http > u-08.39250: F [tcp sum ok] 1:1(0) ack 1 win 64240 <nop,nop,timestamp 67481 130763560> (DF) (ttl 128, id 11750, len 52)

19:30:59.330101 u-08.39250 > 192.168.0.51.http: P 1:733(732) ack 1 win 5840 <nop,nop,timestamp 130763560 0> (DF) (ttl 46, id 33476, len 784)

19:30:59.330400 192.168.0.51.http > u-08.39250: R [tcp sum ok] 2284289474:2284289474(0) win 0 (DF) (ttl 128, id 11751, len 40)

19:30:59.354366 u-08.39250 > 192.168.0.51.http: . [tcp sum ok] 733:733(0) ack 2 win 5840 <nop,nop,timestamp 130763563 67481> (DF) (ttl 46, id 33477, len 52)

19:30:59.354537 192.168.0.51.http > u-08.39250: R [tcp sum ok] 2284289474:2284289474(0) win 0 (ttl 128, id 11752, len 40)

This is the tcpdump output when trying to access the linux machine (successfully) with each packet on a seperate line:

tcpdump: listening on eth1

19:34:12.183432 u-08.39251 > 192.168.0.52.http: S [tcp sum ok] 347597062:347597062(0) win 5840 <mss 1460,sackOK,timestamp 130782846 0,nop,wscale 0> (DF) (ttl 46, id 32632, len 60)

19:34:12.184317 192.168.0.52.http > u-08.39251: S [tcp sum ok] 329115987:329115987(0) ack 347597063 win 5792 <mss 1460,sackOK,timestamp 986700 130782846,nop,wscale 0> (DF) (ttl 64, id 0, len 60)

19:34:12.221537 u-08.39251 > 192.168.0.52.http: . [tcp sum ok] 1:1(0) ack 1 win 5840 <nop,nop,timestamp 130782850 986700> (DF) (ttl 46, id 32633, len 52)

19:34:12.227803 u-08.39251 > 192.168.0.52.http: P 1:733(732) ack 1 win 5840 <nop,nop,timestamp 130782850 986700> (DF) (ttl 46, id 32634, len 784)

19:34:12.228363 192.168.0.52.http > u-08.39251: . [tcp sum ok] 1:1(0) ack 733 win 6588 <nop,nop,timestamp 986705 130782850> (DF) (ttl 64, id 59140, len 52)

19:34:12.241317 192.168.0.52.http > u-08.39251: P 1:204(203) ack 733 win 6588 <nop,nop,timestamp 986706 130782850> (DF) (ttl 64, id 59141, len 255)

19:34:12.242263 192.168.0.52.http > u-08.39251: F [tcp sum ok] 204:204(0) ack 733 win 6588 <nop,nop,timestamp 986706 130782850> (DF) (ttl 64, id 59142, len 52)

19:34:12.298443 u-08.39251 > 192.168.0.52.http: . [tcp sum ok] 733:733(0) ack 204 win 6432 <nop,nop,timestamp 130782857 986706> (DF) (ttl 46, id 32635, len 52)

19:34:12.304556 u-08.39251 > 192.168.0.52.http: F [tcp sum ok] 733:733(0) ack 205 win 6432 <nop,nop,timestamp 130782858 986706> (DF) (ttl 46, id 32636, len 52)

19:34:12.305812 192.168.0.52.http > u-08.39251: . [tcp sum ok] 205:205(0) ack 734 win 6588 <nop,nop,timestamp 986710 130782858> (DF) (ttl 64, id 59143, len 52)

19:34:13.312320 u-08.39252 > 192.168.0.52.http: S [tcp sum ok] 356999753:356999753(0) win 5840 <mss 1460,sackOK,timestamp 130782959 0,nop,wscale 0> (DF) (ttl 46, id 62630, len 60)

19:34:13.312769 192.168.0.52.http > u-08.39252: S [tcp sum ok] 341868990:341868990(0) ack 356999754 win 5792 <mss 1460,sackOK,timestamp 986810 130782959,nop,wscale 0> (DF) (ttl 64, id 0, len 60)

19:34:13.338370 u-08.39252 > 192.168.0.52.http: . [tcp sum ok] 1:1(0) ack 1 win 5840 <nop,nop,timestamp 130782961 986810> (DF) (ttl 46, id 62631, len 52)

19:34:13.344386 u-08.39252 > 192.168.0.52.http: P 1:742(741) ack 1 win 5840 <nop,nop,timestamp 130782961 986810> (DF) (ttl 46, id 62632, len 793)

19:34:13.344813 192.168.0.52.http > u-08.39252: . [tcp sum ok] 1:1(0) ack 742 win 6669 <nop,nop,timestamp 986812 130782961> (DF) (ttl 64, id 36611, len 52)

19:34:13.355453 192.168.0.52.http > u-08.39252: P 1:212(211) ack 742 win 6669 <nop,nop,timestamp 986814 130782961> (DF) (ttl 64, id 36612, len 263)

19:34:13.355918 192.168.0.52.http > u-08.39252: . 212:1660(1448) ack 742 win 6669 <nop,nop,timestamp 986814 130782961> (DF) (ttl 64, id 36613, len 1500)

19:34:13.400946 u-08.39252 > 192.168.0.52.http: . [tcp sum ok] 742:742(0) ack 212 win 6432 <nop,nop,timestamp 130782967 986814> (DF) (ttl 46, id 62633, len 52)

19:34:13.401375 192.168.0.52.http > u-08.39252: . 1660:3108(1448) ack 742 win 6669 <nop,nop,timestamp 986818 130782967> (DF) (ttl 64, id 36614, len 1500)

19:34:13.401551 192.168.0.52.http > u-08.39252: P 3108:4556(1448) ack 742 win 6669 <nop,nop,timestamp 986818 130782967> (DF) (ttl 64, id 36615, len 1500)

19:34:13.508124 u-08.39252 > 192.168.0.52.http: . [tcp sum ok] 742:742(0) ack 1660 win 8688 <nop,nop,timestamp 130782978 986814> (DF) (ttl 46, id 62634, len 52)

19:34:13.508642 192.168.0.52.http > u-08.39252: . 4556:6004(1448) ack 742 win 6669 <nop,nop,timestamp 986828 130782978> (DF) (ttl 64, id 36616, len 1500)

19:34:13.508820 192.168.0.52.http > u-08.39252: . 6004:7452(1448) ack 742 win 6669 <nop,nop,timestamp 986828 130782978> (DF) (ttl 64, id 36617, len 1500)

19:34:13.508935 192.168.0.52.http > u-08.39252: FP 7452:8486(1034) ack 742 win 6669 <nop,nop,timestamp 986828 130782978> (DF) (ttl 64, id 36618, len 1086)

19:34:13.614051 u-08.39252 > 192.168.0.52.http: . [tcp sum ok] 742:742(0) ack 3108 win 11584 <nop,nop,timestamp 130782989 986818> (DF) (ttl 46, id 62635, len 52)

19:34:13.720258 u-08.39252 > 192.168.0.52.http: . [tcp sum ok] 742:742(0) ack 4556 win 14480 <nop,nop,timestamp 130782999 986818> (DF) (ttl 46, id 62636, len 52)

19:34:13.839246 u-08.39252 > 192.168.0.52.http: . [tcp sum ok] 742:742(0) ack 6004 win 17376 <nop,nop,timestamp 130783011 986828> (DF) (ttl 46, id 62637, len 52)

19:34:13.945443 u-08.39252 > 192.168.0.52.http: . [tcp sum ok] 742:742(0) ack 7452 win 20272 <nop,nop,timestamp 130783022 986828> (DF) (ttl 46, id 62638, len 52)

19:34:14.061489 u-08.39252 > 192.168.0.52.http: . [tcp sum ok] 742:742(0) ack 8487 win 23168 <nop,nop,timestamp 130783034 986828> (DF) (ttl 46, id 62639, len 52)


Any help would be greatly appreciated. Thanks in advance.

 

[payne4hirenow]

Nevermind. My problem must have been related to the server I was running. I installed Tomcat and it works fine now. Must not be able to access JRun Developer Edition from the internet? Who knows.

 

[hulajoe]

I'm also getting an error

&quot;iptables: Chain already exists&quot;

being sent to mt syslog - Any idea what might be causing this, or where I might look ?

I'm running a bos that was pre-installed as a webhosting device.

Mahalo,

Joe