Port Forwarding using IPTABLES 4

[RiezalR]

I am trying to get port forwading to work on my Linux box using IPTables. There is a variety of sample rulesets available on the Internet, but they dont seem to be able to work for me. Is there anyone here familiar with IPTables?

I want remote requests to my Linux server at port 8080, to be forwarded to an internal machine at 192.168.1.3 port 8080. How do i go about doing this?

 

[marsd]

Try something like this.
iptables -I FORWARD -s 0/0 -d 192.168.1.3 -p tcp --dport 8080 -i $external -J ACCEPT
iptables -t nat -A PREROUTING -i $external -p tcp --dport 80 -j DNAT --to-destination 192.168.1.70:8080

You may want to set up some stateful rules in your
forwarding chain for security purposes.

 

[biker1]

cod3x -

Can you post the script you are working with, or your system's output for "iptables -L" or "iptables -L -v"?


Biker
Systems/Network Administrator
LiveFire Labs - Online UNIX and Linux Training with
Hands-on Lab Exercises

http://www.LiveFireLabs.com

 

[marsd]

Oops.
Last rule should read:
iptables -t nat -A PREROUTING -i $external -p tcp --dport 80 -j DNAT --to-destination 192.168.1.3:8080

 

[RiezalR]

Thanks for the responses. My current firewall script is the standard rc.firewall-2.4 script. Within that I've tried to put in a few lines that goes like this:

PORTFWIP="192.168.1.3"

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 8080
-j DNAT --to $PORTFWIP:8080

$EXTIP being my dynamic IP, which for testing purposes I enter it everytime my IP is chgd. I will make the script obtain my static IP by itself later when i get the correct rules working.

I have tried this rule and various other rules made available on the Internet, but all of them dont seem to work. I do a remote scan on my Linux box and i find port 8080 not open. I can't understand why. Is it important where this rule is placed? If you refer to my rc.firewall at

http://c0dex.no-ip.org/firewall.txt,

I've placed those rules at the bottom part, just above the line "FWD: Allow all connections OUT and only existing and related ones IN". Should it be placed elsewhere?

 

[RiezalR]

I'm just posting this to bring the thread up. I'm desperate for some help here.

 

[marsd]

Why would port 8080 show as listening on your
router? Are you running webservice on the router
listening on port 8080?

Add a rule allowing port 8080 in your INPUT chain
if you want.
iptables -A INPUT -s 0/0 -d $EXTINT -p tcp --dport 8080 -j ACCEPT

If you continue to experience difficulties dump
traffic while attempting to connect with tcpdump:
tcpdump dst $webserver port 8080, and see what's
going on from your router/firewall machine.

 

[RiezalR]

Well i have apache running on my gateway(Linux), listening on port 80 and another webserver running on my other maching(Windows XP) connected to my gateway, listening on port 8080 . I want my gateway to forward requests on port 8080 to be forwarded to the Windows XP machine. So basically, when

http://myip

will access my Apache webserver and

http://myip:8080

will access my WinXP webserver. This should be possible.

I've set forwarding rules as stated above and it still wont work. I do a port scan on my gateway and port 8080 doesnt seem to be open. Now how do i make that port open? Any ideas?

 

[marsd]

The rules already given should take incoming
traffic coming into port 8080 and forward
them.
You now need to tshoot:
Run tcpdump.
Set up a logging chain for this traffic to
corroborate the traffic.
Examine your log files on both gw and windows
machines to see what is going on.

 

[biker1]

cod3x -

Below is a series of 3 rules that you may be able to use as a template to get your configuration working. In this instance the packet is being forwarded to a different port on the internal/private system, but you should be able to adjust/modify to meet your needs. It may also help you to accept all packets until you get things working. Then you can go back and drop everything (all packets) and only open up (accept) what you need.

EXT_CARD is the firewall's Internet interface
EXT_CARD_IP is the IP address for the firewall's Internet interface
PRIVATE_IP is the IP address of the internal/private system


(1) This entry is used to rewrite the packet:

${IPTABLES} -t nat -A PREROUTING -i ${EXT_CARD} -p tcp -d ${EXT_CARD_IP} --dport 1000 -j DNAT --to ${PRIVATE_IP}:2000


(2) This entry is used to log the packet (optional):

${IPTABLES} -A FORWARD -i ${EXT_CARD} -p tcp -m state --state NEW -d ${PRIVATE_IP} --dport 2000 -j LOG --log-level INFO --log-prefix "IPT FORW - connection to xx "


(3) This entry is used to forward the packet:

${IPTABLES} -A FORWARD -i ${EXT_CARD} -p tcp -d ${PRIVATE_IP} --dport 2000 -j ACCEPT


Hope this helps!


Biker
Systems/Network Administrator
LiveFire Labs - Online UNIX and Linux Training with
Hands-on Lab Exercises

http://www.LiveFireLabs.com

 

[predamarcel]

hi,
should be an ip forwarding problem.

check
cat /proc/sys/net/ipv4/ip_forward
if the content is not `1' the IP forwarding is not activated
to do this, just type:
echo 1 > /proc/sys/net/ipv4/ip_forward

I'm adding this line in all the scripts where I'm ussing iptables.

__

http://marcell.hypermart.net/

___

 

[RiezalR]

Thanks for the responses. I will try all of the solutions given to me. But there is one more concern, which the placement of these rules. Please refer to my firewall script at

http://c0dex.no-ip.org/firewall.txt.

I was told to place it at the bottom part of the script, just above "FWD: Allow all connections OUT and only existing and related ones IN". Is this the correct place to insert this rule? Or does it not matter?

 

[RiezalR]

I've used the forwarding rules given by biker1, marsd and some from the Internet. After i insert these rules, re-execute rc.firewall and do a remote scan on my box, port 8080 is still not opened. How am i to troubleshoot the packet forwarding rule when the port i want to forward with is not even open?

Sometimes when i run rc.firewall, it even gives me an error, saying 'Invalid argument -p' or 'Invalid argument --dport'. This is wierd, coz these options are used in most IPtables rules. I am using iptables v1.2.6a. Should i re-install iptables?

 

[RiezalR]

I've used the forwarding rules given by biker1, marsd and some from the Internet. After i insert these rules, re-execute rc.firewall and do a remote scan on my box, port 8080 is still not opened. How am i to troubleshoot the packet forwarding rule when the port i want to forward with is not even open?

Sometimes when i run rc.firewall, it even gives me an error, saying 'Invalid argument -p' or 'Invalid argument --dport'. This is wierd, coz these options are used in most IPtables rules. I am using iptables v1.2.6a. Should i re-install iptables? My iptables works fine for my IP Masquerading though.

 

[predamarcel]

give us the output of commands:
iptables -L -n
iptables -t nat -L -n

__

http://marcell.hypermart.net/

___

 

[marsd]

FWIW I have run similar configurations many times
and it was a the matter of a few moments to get
it to work as I wanted.

Please do not assume that port 8080 on your gw
will show a listening service, it may not.
Before routing occurs incoming traffic is scrutinized
in the nat chain and then if a match is made the traffic
is redirected. If this is not occurring then you have
plenty of tools to tshoot the issue.

I assume that your -t nat PREROUTING policy is ACCEPT
currently right?

Some methods:

1)telnet/netcat to port 8080 while running tcpdump, both
client and server side and watch/log the traffic to see
what occurs.
2)Set up a logging chain.
iptables -N LOGNATCHAIN
iptables -A LOGNATCHAIN -s 0/0 -p tcp --syn -j LOG --log-prefix &quot;NAT<->NEWCONNREQ&quot;
iptables -A LOGNATCHAIN -s 0/0 -p tcp -m state --state ESTABLISHED -j LOG --log-prefix &quot;NAT<->CURRCONN&quot;
iptables -A LOGNATCHAIN -j DNAT --to-destination $INSIDEWEB:8080

Apply it to your nat rule:
iptables -A PREROUTING -t nat -i $EXTERNAL -p tcp --dport 8080 -j LOGNATCHAIN
Watch your logfiles:tail -f /var/log/messages or /var/log/warn.

Please try these and the other given techniques before
saying that it &quot;doesn't work&quot;, or post more info on
your ruleset.

 

[jasonhill]

This is how we have that same setup at my office

You need to have 3 things when you want to nat traffic for web. You need your PREROUTING, FORWARD, and POSTROUTING RULE. The PREROUTING rule tells the FW to map the outside address of the web request to the inside ip of the web server. The FORWARD rule tells the FW to forward traffice from one interface to the other, AFTER IT HAS BEEN NAT'ED Thats why its called PRE and POST ROUTING. The final rule, POSTROUTING sets the outgoing traffic of the web server, because you don't want everyone to see your inside ip address. So your rules would look like this.


iptables -A PREROUTING -i $ext_int -p tcp -d (whatever the external ip of the webserver is) --dport 8080 -j DNAT --to (internal ip of the server)

iptables -A FORWARD -i $ext_int -o $int_int -p tcp -d (inside ip of web) --dport 8080 -m state --state NEW -j ACCEPT

iptables -A POSTROUTING -o $ext_int -s (inside ip of web)-j SNAT --to (outside ip of web)

hope this helps

 

[jasonhill]

also you must have a forward rule for all connections that are established or related. I left this out because you already had that in your script. I'll add it here so you'll know to have it in your final.

IPTABLES -A FORWARD -i $ext_int -o $int_int -m state --state ESTABLISHED,RELATED -j ACCEPT

 

[marsd]

Stateful rules are always optional.
Related rules may not be desirable, especially with
http traffic.
Renatting outbound traffic is not strictly necessary.

 

[biker1]

cod3x -

You will find an excellent tutorial on iptables at:

http://www.linux-sxs.org/iptables/iptables-tutorial.html

You may have seen it already, but I wanted to make you aware of it just in case you haven't.


Biker
Systems/Network Administrator
LiveFire Labs - Online UNIX and Linux Training with
Hands-on Lab Exercises

http://www.LiveFireLabs.com