IPtables help

[graviti]

HELP!!!

I'm totally stuck here, and hoping a fresh viewpoint can help here. I'm trying to setup port forwarding on a linux gateway.

Basically the machine has two relevant cards.

eth5 has the external IP 196.xx.y.zzz
eth4 has the local IP 192.168.0.254

I'm trying to forward all requests on port 10001 on the external IP to port 10000 on port 192.168.0.238 (Another machine on the network). (This is a practice setup, as I am aware that leaving Webmin world facing is not necessarily bright)

My log on the External IP shows that the packet has been processed in PREROUTING, but it never makes it to 192.168.0.238, even though the log shows

IN=eth5 OUT=eth4 SRC=196.211.240.18 DST=192.168.0.238 LEN=48 TOS=0x10 PREC=0x20 TTL=123 ID=16243 DF PROTO=TCP SPT=62676 DPT=10000 WINDOW=8192 RES=0x00 SYN URGP=0

My iptables rules file is as follows

-A PREROUTING -p tcp -m tcp -d 196.xx.y.zzz --dport 10001 -j DNAT  --to-destination  192.168.0.238:10000
-A POSTROUTING -s 192.168.0.238 -p tcp --sport 10000 -o eth4 -j SNAT --to-source 196.xx.y.zzz:10001
COMMIT
#
#
#
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [402:144198]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
#
#
#
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -d 192.168.0.238 -j ACCEPT
-A INPUT -s 192.168.0.238 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 10000 -j ACCEPT
-A INPUT ! -i eth5 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -j ACCEPT
-A FORWARD -d 192.168.0.238 -j LOG
-A FORWARD -p tcp -m tcp -d 192.168.0.238 --sport 10000 -j LOG
-A FORWARD -s 192.168.0.238 -j LOG  --log-level 4
-A FORWARD -s 192.168.0.238 -j ACCEPT
-A FORWARD -d 192.168.0.238 -j ACCEPT
-A FORWARD -p tcp -m tcp --dport 25 -j DROP
-A FORWARD -j DROP
COMMIT

Hope someone can help. I've filtered out all unnecessary IPtables rules. Anything remotely related is left here.

Thanks

 

[twiga]

Taking a wild stab here, but what does # sysctl net.ipv4.ip_forward say?

 

[Tinuva]

Instead of using SNAT rather use MASQUERADE for outgoing connections, then you only need DNAT to forward the ports to an internal machine.

My gut feeling is, the SNAT rule is not working 100%, since the log doesn't show it as dropped. The log also shows that the incoming traffic works, its the outgoing traffic that is broken. Also SNAT rule has to change everytime your public ip on ADSL changes, unless you are on a static ip?

So basically what you need is:

/sbin/iptables -t nat -A POSTROUTING -o eth5 -j MASQUERADE
/sbin/iptables -A FORWARD -i eth0 -o eth4 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -o eth5 -j ACCEPT

then also
echo 1 > /proc/sys/net/ipv4/ip_forward
or net.ipv4.ip_forward = 1 in /etc/sysctl.conf as proposed above.

Your DNAT prerouting rule can stay the same, just remove the SNAT one.

DNAT/SNAT is useful with static ips only really.

 

[graviti]

-A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth5 -j MASQUERADE


was already in there. Sorry. It didn't come across in the original copy/paste.

I added the SNAT rule afterwards, when the DNAT's weren't working.

The /proc/sys/net/ipv4/ip_forward was already set to 1. I can forward from internal to external no problem, (i.e act as a gateway). I use a proxy for everyone, but give myself straight through access. However, it's the external to internal issue that is thwarting me.

Shot for the ideas. Gonna keep trying

 

[Murlin]

Hi Graviti

Did you come right here ? From the messages log it looks like your input chain is stopping the packet

 

[graviti]

Hi guys.

Two step problem. My firewall input rules were not refreshing properly with iptables-restore. Reboot the machine, and the packets started going through. But then they wouldn't come back. I just figured out that that is due to my routing setup. I have two physical networks, each with their own gateway. I was coming in a network A, to my machine with network cards on both networks. However the default gateway on my machine uses network B to go out, so the packet source was wrong.

i.e comes in via 196.xx.y.zz1, from 196.211.240.18. It is routed via 192.168.0.254 to 192.168.0.238. Then the local machine wants to get to 196.211.240.18 so it uses the default gateway and goes back out via 192.168.1.238 to 192.168.1.254, which was then masqueraded as 196.xx.y.zz2. So 196.211.240.18 thinks it is waiting for a reply from 196.xx.yy.zz1, but is getting the reply from 196.xx.yy.zz2, which is where the problem arises.

Thanks for the input.

 

[Tinuva]

If you have multiple public interfaces with different ips, you will need to start to mark packets, and based on the packet mark route it out differently, ie. also multiple routing tables. This can become quite complicated and even more so to explain.

 

[graviti]

It's fine. All I'll do is use the other interface for the forwarding. I should have done that in the first place.