Port forwarding: Difference between revisions

From finninday
Jump to navigation Jump to search
No edit summary
No edit summary
Line 4: Line 4:


References:
References:
* http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#IPHEADERS
# http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#IPHEADERS
* http://www.ridinglinux.org/2008/05/21/simple-port-forwarding-with-iptables-in-linux/
# http://www.ridinglinux.org/2008/05/21/simple-port-forwarding-with-iptables-in-linux/
# http://www.centos.org/docs/4/html/rhel-sg-en-4/s1-firewall-ipt-fwd.html


Create the FORWARD rule
Create the FORWARD rule

Revision as of 16:38, 10 October 2013

This should be so easy, but I've made several attempts and each have failed, so I need to start keeping track of what I have tried so I don't repeat myself.

The goal is to configure my iptables firewall to pass traffic from the internet through my server to a NATted box on my internal network where I'm running a service of some kind.

References:

  1. http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#IPHEADERS
  2. http://www.ridinglinux.org/2008/05/21/simple-port-forwarding-with-iptables-in-linux/
  3. http://www.centos.org/docs/4/html/rhel-sg-en-4/s1-firewall-ipt-fwd.html

Create the FORWARD rule 

[0:0] -A FORWARD -p tcp -d 10.0.0.45 --dport 7777 -j ACCEPT
[0:0] -A FORWARD -p udp -d 10.0.0.45 --dport 7777 -j ACCEPT

Create the NAT rule 

[0:0] -A PREROUTING -p tcp --dport 7777 -j DNAT --to-destination 10.0.0.45:7777

Create the MASQUERADE rule. 

[0:0] -A POSTROUTING -o eth0 -j MASQUERADE

Testing with netcat and tcpdump show the packets arriving at the firewall, but no response. Looking at the verbose iptables I can see that the rule has matched three packets: 

root@weasel:/etc/default# iptables -v -L -t nat
Chain PREROUTING (policy ACCEPT 165 packets, 18154 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    3   180 DNAT       tcp  --  any    any     anywhere             anywhere             tcp dpt:7777 to:10.0.0.45:7777

However, the FORWARD rule hasn't matched anything yet: 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.45            tcp dpt:7777
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            10.0.0.45            udp dpt:7777

I'm not entirely sure that the forward rule needs to match if the redirect has already taken place... But tcpdump tells me that the packets don't appear on any network interfaces after they arrive on eth1.

That makes me think that I have a DROP rule somewhere that is eating my packets. However, I've check the packet totals and don't see any increase in any of my DROP rules.

turn up the logging

I've opted to increase the logging of the firewall to see what packets are getting dropped. It might actually be worthwhile to turn logging all the way up and see dropped and accepted packets. Maybe in the middle of the night.

Retrieved from "https://finninday.net/wiki/index.php?title=Port_forwarding&oldid=4059"