I want to forward trafic destined at port 100 to 127.0.0.1:101. The actual goal is to forward to a different IP:PORT, but for the sake om just getting stuff to work I have a socket listening on *:100. From this site, and google "iptables port forwarding howto", I've been lead to belive the syntax is as follows, which is part of my ruleset.
#Set default policies to DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#Flush ruleset
iptables -F
iptables -t nat -F
iptables -t filter -F
#Allow local access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Allow ESTABLISHED,RELATED
iptables -A INPUT -i eth0 -m sate --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT 1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow outbound SYN requests
iptables -A OUTPUT -o eth0 -m state --state NEW -j accept
#### The routing related
# Allow SYN requests for the port-to-be-forwarded
iptables -A INPUT -i $INET_IFACE -p tcp --dport 100 -m state --state NEW -j ACCEPT
# Route to 127.0.0.1:101
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 100 -j DNAT --to-destination 127.0.0.1:101
# Accept the forward
iptables -A FORWARD -t filter -i eth0 -p tcp --dport 101 -j ACCEPT
# Accept all related in forward
iptables -A FORWARD -t filter -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
My sysctl settings are:
# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 1
kernel.randomize_va_space = 1
# cat /proc/sys/net/ipv4/conf/eth0/forwarding
1
nmap states the port is closed for connect() and SYN scans, but open|filtered for FIN and Xmas scans.
What am I missing ?
-
Are you trying to redirect traffic originating from your own machine ?
If so, you should also add a DNAT rule to the OUTPUT chain of the nat table. The PREROUTING chain will only process packets coming from other hosts.
From b0fh -
Port forwarding only really makes sense from one ethernet interface to another. Therefore I would have to presume that $INET_FACE is not the same as eth0. For the purposes of what follows, I will assume it to be eth1.
In that case you need the following rules:
iptables -A INPUT -i eth1 -p tcp --dport 100 -m state --state NEW -j ACCEPT iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 100 -j DNAT --to-destination 127.0.0.1:101 iptables -A FORWARD -t filter -i eth1 -p tcp --dport 101 -j ACCEPT iptables -A OUTPUT -t filter -o eth0 -p tcp --dport 101 -j ACCEPT
This opens the inward path. However, since your default policy is to drop packets that have no matching rule, you also need some rules for the return traffic.
I am not a friend of overcomplicating firewalls built with iptables, you can easily end up in a situation where you have a really hard time understanding what's going on. Therefore I would recommend to change the default policy to ACCEPT for the FORWARD chain, and control the traffic primarily through the INPUT chain and, if necessary, the OUTPUT chain.If the above doesn't provide enough detail to move forward, just post a comment, and I can provide further pointers. There are some good diagrams on traffic flow through iptables, I particularly like this one and this one. These show which tables and chains are used, and should allow you to formulate your rules. Always remember, you need rules for both directions of traffic flow.
Thomas : Actually, my incoming interface is eth0 and the one I attempt to forward to is vmnet8. I attempted to adobt your suggested rules, but failed. Therefore I changed the default policies to ACCEPT and added the following rules: iptables -t nat -A PREROUTIMG -i eth0 -p tcp --dport 100 -j DNAT --to-destination vmip:101 iptables -t FORWARD -j ACCEPT iptables -t OUTPUT -j ACCEPT But still no success. A syn request is received on vmnet8 and a syn,ack reply is sent. tcpdump does not see the reply on eth0From wolfgangsz -
Solution was partly based om wolfgansz. As I was not originally registered as a user on serverfault, and have since cleared my cookies, it doesnt seem that I can just post a comment.
Default policies are DROP for INPUT and OUTPUT chains, and ACCEPT for FORWARD.
function add_forward { # $1 = title # $2 = internal host # $3 = external port # $4 = internal port if [ "$2" == "" ] || [ "$3" == "" ] || [ "$4" == "" ]; then echo Skipping forward $1 else echo "Forwarding port "$3" to "$2" port "$4" ("$1")" $IPT -t nat -A PREROUTING -p tcp --dst $MYIP --dport $3 -j DNAT --to-destination $2:$4 $IPT -t nat -A POSTROUTING -p tcp --dst $2 --dport $4 -j SNAT --to-source $VMNETIP $IPT -t nat -A OUTPUT --dst $MYIP -p tcp --dport $3 -j DNAT --to-destination $2:$4 fi }
And finally to use it add_forward "My forward", "192.168.0.101" 100 101
$MYIP is defined as the eth0 public IP $VMNETIP is the vmware NAT interface
So all in all, this enables incoming connections on eth0:100 to be bridged through vmnet nat interface to a virtual machine..
Hopefully, this can help someone else as well.
The primary tool for debugging was tcpdump on both the host and guest system
"tcpdump -i eth0 port 100" for listening on the host. This revealed a problem with me setting an incorrect IP in the POSTROUTING rule which made eth0 just drop the packets.
Thanks for the help.
From Thomas
0 comments:
Post a Comment