Port forwarding

Eek · Post by **Eek** » 17 Oct 2008, 08:07

Hi

did some try an use port forwarding?
it doesn't seem to work
although iptables look correct

# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:www to:192.168.1.130:8083

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE 0 -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp time-exceeded

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:8083

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

accoording to this Port 80 should be open, right?

cheers
Eek

Post by **Binkem** » 17 Oct 2008, 08:15

I had some problems with port forwarding but now I have transferred all external sites to bubba so i don't use this function anymore (This means that I cannot tell whether the last updates fixed my issues).

pa · Post by pa » 19 Oct 2008, 06:17

Hi,

It seems as if you are trying to forward external port 80 to internal ip 192.168.1.130 on port 8083.

Is this the setup that you need and do you have anything on 192.168.1.130 listning on port 8083?

What you can do is to run "iptables -vL" on both fiter and nat tables and note the number of packets that have traversed the your specific rule. Then try to access again from the outside, run the iptables command again and see if the number of packets have changed.
Please also check the access logs on your server to see if you have any connections made.

What you should note is that there is currently a limitation in the forwarding rules that does not allow you to access the portforward from within your own network.
Or more accurately, the packets are being forwarded but the source address of the packet is not rewritten. Therefore the server (in this case 192.168.1.130) will send the answer directly to the requesting computer on your local network and the packet will be thrown away since it does not come from the router (to which the original packet was sent).
This is a limitation that applies only when you are trying to access the portforward from within the LAN, not if it is being accessed from an IP outside your LAN range.

/PA

Eek · Post by **Eek** » 19 Oct 2008, 07:51

Hi
I moved the website from the bubba to bubba2
but still the port forwarding does not work
I have a apache2 server running on port 8080

heracles:/var/log/apache2# netstat -an|grep LISTEN |grep 8080
tcp6 0 0 :::8080 :::* LISTEN

Create a new rule

heracles:/var/log# iptables -vL -t nat
Chain PREROUTING (policy ACCEPT 6039 packets, 800K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:www to:192.168.1.3:8080

Chain POSTROUTING (policy ACCEPT 3991 packets, 1335K bytes)
pkts bytes target prot opt in out source destination
1533 88332 MASQUERADE 0 -- any eth0 anywhere anywhere

Chain OUTPUT (policy ACCEPT 4139 packets, 1344K bytes)
pkts bytes target prot opt in out source destination
heracles:/var/log# iptables -vL
Chain INPUT (policy DROP 354 packets, 41737 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- any any anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset
0 0 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
977 356K ACCEPT 0 -- eth0 any anywhere anywhere state RELATED,ESTABLISHED
102K 29M ACCEPT 0 -- eth1 any anywhere anywhere
11 2400 ACCEPT 0 -- lo any anywhere anywhere
0 0 ACCEPT icmp -- eth0 any anywhere anywhere icmp time-exceeded

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
515K 27M ACCEPT 0 -- eth1 any anywhere anywhere
728K 963M ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:webcache

Chain OUTPUT (policy ACCEPT 33814 packets, 14M bytes)
pkts bytes target prot opt in out source destination

Now i will hit the site from outside, using my phone and www.grc.com shields up utility.
Now i get hits on the NAT rule, but not on the FORWARD.
Also no entries in the access.log.

heracles:/var/log/apache2# iptables -vL -t nat
Chain PREROUTING (policy ACCEPT 6923 packets, 847K bytes)
pkts bytes target prot opt in out source destination
32 1448 DNAT tcp -- eth0 any anywhere anywhere tcp dpt:www to:192.168.1.3:8080

Chain POSTROUTING (policy ACCEPT 4037 packets, 1350K bytes)
pkts bytes target prot opt in out source destination
1635 93669 MASQUERADE 0 -- any eth0 anywhere anywhere

Chain OUTPUT (policy ACCEPT 4186 packets, 1360K bytes)
pkts bytes target prot opt in out source destination
heracles:/var/log/apache2# iptables -vL
Chain INPUT (policy DROP 1107 packets, 74425 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- any any anywhere anywhere tcp flags:SYN,ACK/SYN,ACK state NEW reject-with tcp-reset
0 0 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
1002 362K ACCEPT 0 -- eth0 any anywhere anywhere state RELATED,ESTABLISHED
104K 30M ACCEPT 0 -- eth1 any anywhere anywhere
11 2400 ACCEPT 0 -- lo any anywhere anywhere
0 0 ACCEPT icmp -- eth0 any anywhere anywhere icmp time-exceeded

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
539K 28M ACCEPT 0 -- eth1 any anywhere anywhere
764K 1014M ACCEPT 0 -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:webcache

Chain OUTPUT (policy ACCEPT 34592 packets, 14M bytes)
pkts bytes target prot opt in out source destination

cheers
Eek

pa · Post by pa » 20 Oct 2008, 01:11

Hi,

I jusr reread your post, and you are saying that you moved the website to bubba2. So is your LAN IP of bubba 2 192.168.1.3 ?

In this case you will not get any hits on the forward-chain since routing is taking place after nat, and then bubba understands that a packet aimed for 192.168.1.3 is for it self and it will hit the INPUT chain.

And since the packet is coming from eth0 (even if it is aimed for the LAN-ip), it will not get passed.
We are currently working on a new release of the firewall UI so that it will allow to open user specific port on eth0 as well.

In the meantime, you could try the following:
#iptables -A INPUT -p tcp -i eth0 --dport 8080 -j ACCEPT

That will open port 8080 on your eth0 interface.

/PA

Eek · Post by **Eek** » 20 Oct 2008, 05:29

Hi Pa
After reading your post, i fired up the website on the bubba (192.168.1.130) and setup portwarding from 80 to 8083.
As in the orginal post.
Don't know what changed, but now it works.
Port 80 is open and redirects to 8083, my website is available to the outside.

I also opened port 8080 on the bubba2 and now that redirect also works.
Now i have two ports open, maybe after more study of iptables i will have that fixed

thanks for the support
cheers
Eek

pa · Post by pa » 20 Oct 2008, 06:11

Note that you can also access port 8080 directly on bubba2 external IP now, no need to use a portforward.

As I mentioned earlier, we will add this to the firewall UI soon.

/PA