Once again iptables

[matthew]

For testing I have created an virtual machine (vbox) on my local computer. Now I want to forward calls on port 81 through the firewall. I'm a little bit confused why my setup is not working. I edited necessary apache-conf-files (etc/apache2/ports.conf, etc/apache2/sites-available/default) to listen on port 81 and the iptables-rules. Calling server.local:81 works but if I call from outside it don't work. Here are the added iptables-rules:

Code: Select all

-A FORWARD -i eth0 -p tcp --dport 81 -m state --state NEW -j ACCEPT
-A PREROUTING -p tcp --dport 81 -j DNAT --to-destination 192.168.10.49:81

The forward-rule is on the first position in chain. The ip-address is a static-address out of dhcp-range. In my oppinion a masquerading-addition is not required because of the standard-rule of factory-set, so I think. What could I have forgotten?

best regard matthew

[Gordon]

Drop the state NEW part in the FORWARD rule; this is only useful if you add additional filtering rules to prevent stuff like DoS attacks (e.g. --limit). Besides it makes you depend on the existing rule for states RELATED and ESTABLISHED, so do you still have that one?

Also I think the ruleset is somewhat sloppy and you should be more distinctive in what you're trying to achieve. Right now this ruleset will also lead your vbox web page if you would call http://www.excito.com:81 and that is probably not what you intended.
- add the original destination that should be rewritten to the vhost IP to the DNAT rule (i.e. your WAN address)
- add the vhost IP as the destination in the FORWARD rule

Also verify that your vhost can access (ping) the internet; the DNAT rule only rewrites the packet's destination, not the origin.

[matthew]

so do you still have that one?

yes, of course! I've experimented with your hints and nothing helps... Could it be that the rewrite-rules in /etc/apache2/conf.d/admin.conf makes my requests impossible by changing for example http://ip:81 in http://ip/admin:81 ?

[Gordon]

Changing the port in apache really doesn't make any difference and honestly you shouldn't have bothered because you can also change the port in the DNAT rule.

Just wondering something: did you insert these rules manually in the firewall.conf file? Are you sure you added them to the correct sections in this file, because it actually sounds like the rules don't get added at all.

[matthew]

Ok, thanx Gordon, I see I have to explain something more. First, besides the rules I wood like to insert in my ruleset, I use the delivered ruleset of excito, which you can find in /etc/network/firewall.conf. As below showed this is the original file with my added rules and with line-numbers:

Code: Select all

  1 # Generated by iptables-save v1.4.8 on Wed Mar  7 12:25:12 2012
  2 *nat
  3 :PREROUTING ACCEPT [41:4052]
  4 -A PREROUTING -i eth0 -p tcp -m tcp --dport 81 -j DNAT --to-destination 192.168.10.49:81
  5 :INPUT ACCEPT [23:2017]
  6 :OUTPUT ACCEPT [14:1088]
  7 :POSTROUTING ACCEPT [1:90]
  8 -A POSTROUTING -o eth0 -j MASQUERADE
  9 COMMIT
 10 # Completed on Wed Mar  7 12:25:12 2012
 11 # Generated by iptables-save v1.4.8 on Wed Mar  7 12:25:12 2012
 12 *filter
 13 :INPUT DROP [0:0]
 14 :FORWARD DROP [0:0]
 15 :OUTPUT ACCEPT [1:260]
 16 -A INPUT -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
 17 -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
 18 -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 19 -A INPUT -i br0 -j ACCEPT
 20 -A INPUT -i lo -j ACCEPT
 21 -A INPUT -i eth0 -p icmp -m icmp --icmp-type 11 -j ACCEPT
 22 -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
 23 -A INPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
 24 -A INPUT -i eth0 -p tcp -m tcp --dport 41667 -j ACCEPT
 25 -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
 26 -A INPUT -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
 27 -A INPUT -i eth0 -p tcp -m tcp --dport 143 -j ACCEPT
 28 -A INPUT -i eth0 -p tcp -m tcp --dport 993 -j ACCEPT
 29 -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT
 30 -A FORWARD -d 192.168.10.49 -i eth0 -p tcp -m tcp --dport 81 -j ACCEPT
 31 -A FORWARD -i br0 -j ACCEPT
 32 -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 33 -A FORWARD -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
 34 COMMIT
 35 # Completed on Wed Mar  7 12:25:12 2012

The first step was to make a copy for security reasons. The next point was to think about forwarding. I inserted the rule in line 30. It is known that I need to add an PREROUTING-rule (line 4) which changes the destination-ip-header to my server-ip. By the way, I use

Code: Select all

iptables-restore firewall.conf

-command to integrate new rules. How do I check if calls are match the rule? With use of the comand

Code: Select all

iptables -vnL

and for the nat-table

Code: Select all

iptables -t nat -vnL

. These commands I watch every 0.5s and the output gives detailed information about packetflow for each rule.
These two rules makes it possible to reach my server from outside of my local net via browser. But if I try to do it from inside it fails. I don't get the mistake. For example I call from inside http://wan-ip:81, which dont work, but from outside the same call works.

[Gordon]

Okay, but those are not the same rules as the ones you posted before. While the sequence is a bit off - regular format would show line 4 after line 7 - the fact that it does work from the outside proves that the rules actually are active though, so no worries there.

So you wonder why it doesn't work from the inside. The problem is that in this case you're accessing the internal interface br0 and move on to the router that transfers you to the wan interface eth0 and then after routing (i.e. POSTROUTING) expect the PREROUTING rules to kick in. They don't. This is why I said before that you need to be more specific in your ruleset: if you want traffic that originates from your LAN to go some place else if it accesses the IP that is assigned to the WAN interface eth0, you need to write a PREROUTING rule that (also) catches interface br0.

Like so:

Code: Select all

-A PREROUTING -i br0 -d $eth0_IP --dport 81 -j DNAT --to-destination .....

Or just strike the '-i br0' bit and delete the line that you currently have (it becomes obsolete in this case).

[matthew]

thanks again,

While the sequence is a bit off - regular format would show line 4 after line 7 - the fact that it does work from the outside proves that the rules actually are active though, so no worries there.

You are totally right, I thought it is more clear displayed so, but iptables writes it like you said...
now I have a PREROUTING-rule:

Code: Select all

-A PREROUTING -d mywan-ip -p tcp -m tcp --dport 81 -j DNAT --to-destination 192.168.10.49:81

, which matches from inside and from outside, because i removed the "-i interface" -part. A question regarding this rule is, could you give me a workaround keeping the wan-ip upto-date? Where is the right place to declare such global variable?

So, the result now is that I can furthermore access from outside -> everythings fine, but from inside only the PREROUTING-rule matches, not the FORWARD-rule, so I'm not able to access from inside.

To precisely describe my call: I invoke a no-ip.org-domain, which makes a port-redirect on port 81 on my wan-ip.

[Gordon]

Well the fun part is that the B3 performs a rewrite on firewall.conf when there is a DHCP renewal on eth0, which can be either good or bad. It is good if eth0 actually receives your public internet address and it is bad if the B3 is on a private range behind your ISP's router.

I posted an alternative method for the latter case in the Shorewall on B3 howto.

[a1n]

Hi Mathew, I want to set up a testing machine too on Vbox on local machine. Have you succeeded? Could give me some guidance on settings in Vbox please, what linux version did you select (Debian? 64bit?)

Regards a1n

[matthew]

Hi,
related to the topic I didn't succeed, because of time-pressure. What settings do you mean? I installed a debian-netinstall image (32bit)...
Greetz