iptables, SNAT/DNAT, port forwarding problems.

iptables, SNAT/DNAT, port forwarding problems.

Post by Wayne Bradne » Tue, 20 Mar 2001 04:09:37



I'm having big problems getting port forwarding to work with my 2.4.0/iptables setup. I have outbound (SNAT) masquerading working just fine:

EXTERNAL_IP=xxx.xxx.xxx.xxx  # external ip
LOCAL_NET=192.168.2.0/24     # internal ip
EXTERNAL_IF=eth1
LOCAL_IF=eth0

iptables -t nat -F
iptables -t nat -A POSTROUTING -o ${EXTERNAL_IF} -s ${LOCAL_NET} -j SNAT --to ${EXTERNAL_IP}

I have the following lines to log and forward all www traffic to my internal web server on 192.168.2.1:

iptables -t nat -A PREROUTING -i ${EXTERNAL_IF} -p tcp -d ${EXTERNAL_IP} --dport 80 -j LOG --log-prefix 'www-fwd:'
iptables -t nat -A PREROUTING -i ${EXTERNAL_IF} -p tcp -d ${EXTERNAL_IP} --dport 80 -j DNAT --to 192.168.2.1:80
iptables -A FORWARD -i ${EXTERNAL_IF} -p tcp --dport 80 -d 192.168.2.1 -o ${INTERNAL_IF} -j LOG --log-prefix 'forwarding:'

When I try to access the web server (at $EXTERNAL_IF) from the internet, I get the following four (sanitized) log entries:

Mar 18 18:07:50 <xxx> kernel: www-fwd:IN=eth1 OUT= MAC=<xxx> SRC=<xxx> DST=<${EXTERNAL_IF}> LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=728 DF PROTO=TCP SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Mar 18 18:07:50 <xxx> kernel: forwarding:IN=eth1 OUT=eth0 SRC=<xxx> DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=728 DF PROTO=TCP SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Mar 18 18:07:53 <xxx> kernel: forwarding:IN=eth1 OUT=eth0 SRC=<xxx> DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=730 DF PROTO=TCP SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Mar 18 18:07:59 <xxx> kernel: forwarding:IN=eth1 OUT=eth0 SRC=<xxx> DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=731 DF PROTO=TCP SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0

Clearly, the first entry is the DNAT rule firing, and the other three seem to be failed attempts to send the packet on to my web server. My web server logs no page requests, and I've even tried a rule in the web server's INPUT chain to log all www traffic:

iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix 'www:'

Nothing gets logged on the web server. It seems that packets are correctly leaving the firewall, but not arriving at the web server. But short of getting a line analyzer on wire, I can't prove this.

Just to prove to myself that iptables on my web server wasn't somehow dropping the forwarded packets without telling me, I set up Apache on a Win2000 machine I have on my local net, and tried forwarding port 80 to that machine, and I still got not no responses.

Does anyone have any idea what's going on here? What am I missing?

(iptables 1.1.1-2 on both the firewall and the web server).

Thanks and regards,
WMB

 
 
 

iptables, SNAT/DNAT, port forwarding problems.

Post by Sven Golcher » Tue, 20 Mar 2001 05:43:33


Wayne,

have you got a rule on the FORWARD chain to actually ACCEPT the incoming packets? If you just -j LOG, the packets will further traverse the FORWARD chain after being logged.

Sven


> I'm having big problems getting port forwarding to work with my 2.4.0/iptables setup. I have outbound (SNAT) masquerading working just fine:

> EXTERNAL_IP=xxx.xxx.xxx.xxx  # external ip
> LOCAL_NET=192.168.2.0/24     # internal ip
> EXTERNAL_IF=eth1
> LOCAL_IF=eth0

> iptables -t nat -F
> iptables -t nat -A POSTROUTING -o ${EXTERNAL_IF} -s ${LOCAL_NET} -j SNAT --to ${EXTERNAL_IP}

> I have the following lines to log and forward all www traffic to my internal web server on 192.168.2.1:

> iptables -t nat -A PREROUTING -i ${EXTERNAL_IF} -p tcp -d ${EXTERNAL_IP} --dport 80 -j LOG --log-prefix 'www-fwd:'
> iptables -t nat -A PREROUTING -i ${EXTERNAL_IF} -p tcp -d ${EXTERNAL_IP} --dport 80 -j DNAT --to 192.168.2.1:80
> iptables -A FORWARD -i ${EXTERNAL_IF} -p tcp --dport 80 -d 192.168.2.1 -o ${INTERNAL_IF} -j LOG --log-prefix 'forwarding:'

> When I try to access the web server (at $EXTERNAL_IF) from the internet, I get the following four (sanitized) log entries:

> Mar 18 18:07:50 <xxx> kernel: www-fwd:IN=eth1 OUT= MAC=<xxx> SRC=<xxx> DST=<${EXTERNAL_IF}> LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=728 DF PROTO=TCP SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
> Mar 18 18:07:50 <xxx> kernel: forwarding:IN=eth1 OUT=eth0 SRC=<xxx> DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=728 DF PROTO=TCP SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
> Mar 18 18:07:53 <xxx> kernel: forwarding:IN=eth1 OUT=eth0 SRC=<xxx> DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=730 DF PROTO=TCP SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
> Mar 18 18:07:59 <xxx> kernel: forwarding:IN=eth1 OUT=eth0 SRC=<xxx> DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=731 DF PROTO=TCP SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0

> Clearly, the first entry is the DNAT rule firing, and the other three seem to be failed attempts to send the packet on to my web server. My web server logs no page requests, and I've even tried a rule in the web server's INPUT chain to log all www traffic:

> iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix 'www:'

> Nothing gets logged on the web server. It seems that packets are correctly leaving the firewall, but not arriving at the web server. But short of getting a line analyzer on wire, I can't prove this.

> Just to prove to myself that iptables on my web server wasn't somehow dropping the forwarded packets without telling me, I set up Apache on a Win2000 machine I have on my local net, and tried forwarding port 80 to that machine, and I still got not no responses.

> Does anyone have any idea what's going on here? What am I missing?

> (iptables 1.1.1-2 on both the firewall and the web server).

> Thanks and regards,
> WMB


 
 
 

iptables, SNAT/DNAT, port forwarding problems.

Post by Wayne Bradne » Tue, 20 Mar 2001 07:11:01


Sven,

In fact, the LOG rule is the only rule in my FORWARD chain -- it's only
there to prove to myself that the packet is getting forwarded after DNAT.
The policy of my FORWARD chain is ACCEPT, so I assume that the packet
reaches the end of the FORWARD chain and is accepted (and forwarded) by
default.

Regards,
WMB


Quote:> Wayne,

> have you got a rule on the FORWARD chain to actually ACCEPT the incoming

packets? If you just -j LOG, the packets will further traverse the FORWARD
chain after being logged.

> Sven


> > I'm having big problems getting port forwarding to work with my

2.4.0/iptables setup. I have outbound (SNAT) masquerading working just fine:
Quote:

> > EXTERNAL_IP=xxx.xxx.xxx.xxx  # external ip
> > LOCAL_NET=192.168.2.0/24     # internal ip
> > EXTERNAL_IF=eth1
> > LOCAL_IF=eth0

> > iptables -t nat -F
> > iptables -t nat -A POSTROUTING -o ${EXTERNAL_IF} -s ${LOCAL_NET} -j

SNAT --to ${EXTERNAL_IP}
Quote:

> > I have the following lines to log and forward all www traffic to my

internal web server on 192.168.2.1:
Quote:

> > iptables -t nat -A PREROUTING -i ${EXTERNAL_IF} -p tcp -d

${EXTERNAL_IP} --dport 80 -j LOG --log-prefix 'www-fwd:'
Quote:> > iptables -t nat -A PREROUTING -i ${EXTERNAL_IF} -p tcp -d

${EXTERNAL_IP} --dport 80 -j DNAT --to 192.168.2.1:80
Quote:> > iptables -A FORWARD -i ${EXTERNAL_IF} -p tcp --dport 80 -d

192.168.2.1 -o ${INTERNAL_IF} -j LOG --log-prefix 'forwarding:'
Quote:

> > When I try to access the web server (at $EXTERNAL_IF) from the internet,

I get the following four (sanitized) log entries:
Quote:

> > Mar 18 18:07:50 <xxx> kernel: www-fwd:IN=eth1 OUT= MAC=<xxx> SRC=<xxx>

DST=<${EXTERNAL_IF}> LEN=48 TOS=0x00 PREC=0x00 TTL=126 ID=728 DF PROTO=TCP
SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Quote:> > Mar 18 18:07:50 <xxx> kernel: forwarding:IN=eth1 OUT=eth0 SRC=<xxx>

DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=728 DF PROTO=TCP
SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Quote:> > Mar 18 18:07:53 <xxx> kernel: forwarding:IN=eth1 OUT=eth0 SRC=<xxx>

DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=730 DF PROTO=TCP
SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Quote:> > Mar 18 18:07:59 <xxx> kernel: forwarding:IN=eth1 OUT=eth0 SRC=<xxx>

DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=731 DF PROTO=TCP
SPT=1093 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Quote:

> > Clearly, the first entry is the DNAT rule firing, and the other three

seem to be failed attempts to send the packet on to my web server. My web
server logs no page requests, and I've even tried a rule in the web server's
INPUT chain to log all www traffic:
Quote:

> > iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix 'www:'

> > Nothing gets logged on the web server. It seems that packets are

correctly leaving the firewall, but not arriving at the web server. But
short of getting a line analyzer on wire, I can't prove this.
Quote:

> > Just to prove to myself that iptables on my web server wasn't somehow

dropping the forwarded packets without telling me, I set up Apache on a
Win2000 machine I have on my local net, and tried forwarding port 80 to that
machine, and I still got not no responses.
Quote:

> > Does anyone have any idea what's going on here? What am I missing?

> > (iptables 1.1.1-2 on both the firewall and the web server).

> > Thanks and regards,
> > WMB

 
 
 

iptables, SNAT/DNAT, port forwarding problems.

Post by Sven Golcher » Tue, 20 Mar 2001 10:01:00


Wayne,

the trouble might be that reply packets from your web server to the internal clients are not routed through the firewall, hence not reversely NATted, so your internal clients fail to recognize them as replies.

The Linux 2.4 NAT HOWTO, v1.0.1, chapter 10, names two ways around this: 1. put up an internal DNS, 2. SNAT the internal requests to the web server before they leave the NAT box, like:

iptables -t nat -A POSTROUTING -d 192.168.2.1 -s 192.168.2.0/24 \
   -p tcp --dport 80 -j SNAT --to $NATboxInternalIP

I know this doesn't explain why your web server doesn't even log incoming packets from your LAN, but your log might fool you...

Sven


> Sven,

> In fact, the LOG rule is the only rule in my FORWARD chain -- it's only
> there to prove to myself that the packet is getting forwarded after DNAT.
> The policy of my FORWARD chain is ACCEPT, so I assume that the packet
> reaches the end of the FORWARD chain and is accepted (and forwarded) by
> default.

> Regards,
> WMB