IPTables port forwarding

graviti · Jun 5, 2012

I have a server running Ubuntu 12.04 Server LTS, 64 bit.

It has an external IP Address xxx.xxx.xxx.123 and an internal address of 192.168.0.200

I then have an internal Windows Server 2003 Standard Edition 32 bit server running IIS 6.0. It has the FTP service running. I am trying to port forward from the Ubuntu machine to the Windows Machine

INTERNET ---- (xxx.xxx.xxx.123)(eth0)UBUNTU(eth1)(192.168.0.240) ----- (192.168.0.241)WINDOWS 2003

I have tried and tried and tried. Below is a dump of my attempts. I have a few services on the Ubuntu server as well. Hope someone can help

Code:

*mangle
:PREROUTING ACCEPT [143:13314]
:INPUT ACCEPT [137:13036]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [37:20541]
:POSTROUTING ACCEPT [37:20541]
COMMIT
# Completed on Tue Jun  5 16:52:53 2012

*nat
:PREROUTING ACCEPT [15:1509]
:INPUT ACCEPT [4:258]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.241
-A POSTROUTING -o eth0 -j SNAT --to-source xxx.xxx.xxx.123
COMMIT
# Completed on Tue Jun  5 16:52:53 2012

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:bad_packets - [0:0]
:bad_tcp_packets - [0:0]
:icmp_packets - [0:0]
:tcp_inbound - [0:0]
:tcp_outbound - [0:0]
:udp_inbound - [0:0]
:udp_outbound - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -j bad_packets
-A INPUT -d 224.0.0.1/32 -j DROP
-A INPUT -s 192.168.0.0/24 -i eth1 -j ACCEPT
-A INPUT -d 192.168.0.255/32 -i eth1 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -j tcp_inbound
-A INPUT -i eth0 -p udp -j udp_inbound
-A INPUT -i eth0 -p icmp -j icmp_packets
-A INPUT -m pkttype --pkt-type broadcast -j DROP
-A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: "
-A FORWARD -j bad_packets
-A FORWARD -i eth1 -p tcp -j tcp_outbound
-A FORWARD -i eth1 -p udp -j udp_outbound
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.0.241/32 -i eth0 -p tcp -m tcp --dport 21 -j LOG
-A FORWARD -d 192.168.0.241/32 -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "FORWARD packet died: "
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -s 192.168.0.240/32 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: "
-A bad_packets -s 192.168.0.0/24 -i eth0 -j LOG --log-prefix "Illegal source: "
-A bad_packets -s 192.168.0.0/24 -i eth0 -j DROP
-A bad_packets -m state --state INVALID -j LOG --log-prefix "Invalid packet: "
-A bad_packets -m state --state INVALID -j DROP
-A bad_packets -p tcp -j bad_tcp_packets
-A bad_packets -j RETURN
-A bad_tcp_packets -i eth1 -p tcp -j RETURN
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn: "
-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: "
-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A bad_tcp_packets -p tcp -j RETURN
-A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: "
-A icmp_packets -p icmp -f -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A icmp_packets -p icmp -j RETURN
-A tcp_inbound -p tcp -m tcp --dport 80 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 443 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 21 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --sport 20 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 62000:64000 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 10000 -j ACCEPT
-A tcp_inbound -p tcp -j RETURN
-A tcp_outbound -p tcp -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j DROP
-A udp_inbound -p udp -m udp --dport 138 -j DROP
-A udp_inbound -p udp -j RETURN
-A udp_outbound -p udp -j ACCEPT
COMMIT
# Completed on Tue Jun  5 16:52:53 2012

graviti · Jun 5, 2012

For further info, the log shows that the file is being NATed. I don't have physical access to the FTP server, but when I ssh into the Ubuntu server, I can ftp onto the Windows server using local addresses. It seems to be something with the firewall. It shows in the log

Code:

IN=eth0 OUT=eth1 MAC=f0:7d:68:b8:75:92:00:12:80:7b:58:96:08:00 SRC=yy.yyy.yyy.yyy DST=192.168.0.241 LEN=60 TOS=0x00 PREC=0x00 TTL=54 ID=60341 DF PROTO=TCP SPT=43802 DPT=21 WINDOW=14600 RES=0x00 SYN URGP=0

Which indicates the packet is getting DNAT, but I can't see it actually hitting the Windows Server. I am not getting any info back.

HELP

Nod · Jun 6, 2012

This might help, seems like exactly what you are doing:
http://serverfault.com/questions/140622/how-can-i-port-forward-with-iptables

graviti · Jun 6, 2012

Thanks hey

Figured it out. Wasn't firewall problem at all. Was a problem on the Windows Machine. Not my machine. Another guy manages it and set it up. He had the wrong gateway configured. Typo. So the firewall was directing traffic to the server, and then the server was sending it back along a different path.

Join the MyBroadband community

Get started

IPTables port forwarding

graviti

Senior Member

graviti

Senior Member

Nod

Honorary Master

graviti

Senior Member