RE: IP forwarding on port 80

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



128.83.147.87 is indeed the external IP. I can ping, ssh and telnet 80 to
this address from an offsite machine, and since

-A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j LOG --log-prefix
"prerouting" --log-level 7

catches it, it seems that

-A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j DNAT
--to-destination 192.168.0.2:80

would also catch it.

Also, since I have:

-A INPUT -p tcp -m tcp --dport 80 -j LOG --log-prefix "input" --log-level 7
-A FORWARD -j LOG --log-prefix "forward" --log-level 7

then I should have a log entry no matter what with a prefix of either
"input" or "forward". However, with the PREROUTING -j DNAT line in place,
neither INPUT nor FORWARD logs the packet traversing through their chains.
Isn't this behavior quite impossible since a packet that traverses
PREROUTING (which I do successfully log in that chain), should definitely go
to either INPUT or FORWARD?

BTW, my iptables version is iptables-1.2.6a-2. Could there be some sort of
patch I need? I'm not really using a special case since people do simple
port 80 forwarding all the time.

Kent Wang

> Verify that 128.83.147.87 is the external IP address for this box.
> Also how did you test this?  If you are inside the internal network (on
> 192.168.0.5 for example) you can't access the web site by going to
> 128.83.147.87.  So in other words you will have to be outside of your
> network to test it.

> From: kwang@xxxxxxxxx [mailto:kwang@xxxxxxxxx]
> Sent: Friday, June 13, 2003 12:58 PM
> To: chris.hoeschen@xxxxxxxxxxxxx
> Cc: kwang@xxxxxxxxx
> Subject: RE: IP forwarding on port 80
>
>
> This is the iptables-save dump:
>
> *nat
> :PREROUTING ACCEPT [37311:5054668]
> :POSTROUTING ACCEPT [72:4540]
> :OUTPUT ACCEPT [72:4540]
> -A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j LOG
> --log-prefix "prerouting" --log-level 7 -A PREROUTING -d 128.83.147.87
> -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.2:80 COMMIT
> # Completed on Fri Jun 13 03:09:25 2003 # Generated by iptables-save
> v1.2.6a on Fri Jun 13 03:09:25 2003 *filter :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [17013:3920003] -A INPUT -d
> 128.83.147.87 -p tcp -m tcp --dport 80 -j LOG --log-prefix "input"
> --log-level 7 -A INPUT -s 127.0.0.1 -p tcp -j ACCEPT -A INPUT -m state
> --state
> RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p
> tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j
> ACCEPT -A INPUT -p tcp -m tcp --dport 115 -j ACCEPT -A INPUT -j DROP -A
> FORWARD -j LOG --log-prefix "forward" --log-level 7 COMMIT
>
> This is the same as above, but with iptables -L and then -L -nat:
>
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> LOG        tcp  --  anywhere             dscp.nur.utexas.edutcp
> dpt:http LOG
> level debug prefix `input'
> ACCEPT     tcp  --  localhost.localdomain  anywhere
> ACCEPT     all  --  anywhere             anywhere           state
> RELATED,ESTABLISHED
> ACCEPT     icmp --  anywhere             anywhere
> ACCEPT     tcp  --  anywhere             anywhere           tcp
> dpt:http ACCEPT     tcp  --  anywhere             anywhere
> tcp dpt:ssh ACCEPT     tcp  --  anywhere             anywhere
> tcp dpt:sftp DROP       all  --  anywhere             anywhere
>
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> LOG        all  --  anywhere             anywhere           LOG level
> debug
> prefix `forward'
>
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
>
>
> Anyway, I really appreciate you and everybody on the mailing list
> helping me out.
>
> Kent Wang
>
>> Could you send me your entire firewall rules
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>>
>> | Chris Hoeschen - Distributed System Analysts        |
>>
>> | PrimeVest Financial Services                        |
>>
>> | (320) 656-4035 E-Mail: chris.hoeschen@xxxxxxxxxxxxx |
>>
>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>>
>>
>>
>> "Only two things are infinite, the universe and human stupidity, and
>> I'm not sure about the former."
>>
>>  -- Albert Einstein
>> Hippopotomonstrosesquippedaliophobia is the fear of long words
>>
>> -----Original Message-----
>> From: Kent Wang [mailto:kwang@xxxxxxxxx]
>> Sent: Friday, June 13, 2003 11:45 AM
>> To: 'Chris Hoeschen'
>> Subject: RE: IP forwarding on port 80
>>
>>
>> -->
>>
>> HereR17;s the contents of PREROUTING:
>>
>>
>>
>> -A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j LOG
>> --log-prefix "prerouting" --log-level 7
>>
>> -A PREROUTING -d 128.83.147.87 -p tcp -m tcp --dport 80 -j DNAT
>> --to-destination 192.168.0.2:80
>>
>>
>>
>> Apparently -m tcp is implied since my original command didn't include
>> it but this is what the iptables-save dump says. But since these two
>> are identical other than the action part, if something gets LOG'd, it
>> should be DNAT'd and therefore passed to FORWARD right?
>>
>>
>>
>> This is what I have in FORWARD:
>>
>>
>>
>> -A FORWARD -j LOG --log-prefix "forward" --log-level 7
>>
>>
>>
>> So this means everything that passes through FORWARD gets logged,
>> right? But my log has entries from PREROUTING (cause it has log-prefix
>> 'prerouting) but none from FORWARD.
>>
>>
>>
>> The situation with tcpdump is still the same. Nothing incoming, except
>
>> when I manually do telnet 192.168.0.2 80.
>>
>>
>>
>> I think the fault is somewhere at the actual DNAT target or the
>> FORWARDing mechanism. Could there have been a module that I didn't
>> load properly? I don't know how to check that (and I would think that
>> iptables would've told me about it already). This is a standard RedHat
>
>> 7 install with the latest iptables RPM.
>>
>>
>>
>> Kent Wang
>>
>>
>>
>> -----Original Message-----
>> From: Chris Hoeschen [mailto:chris.hoeschen@xxxxxxxxxxxxx]
>> Sent: Friday, June 13, 2003 8:03 AM
>> To: 'Kent Wang'
>> Subject: RE: IP forwarding on port 80
>>
>>
>>
>> A packet coming into your firewall will first travel through the
>> prerouting table.  Depending on where that packet is destined will
>> determine what other table it will be traveling through.  If that
>> packet is going to your firewall itself then it will travel through
>> the input table.  If it is going to be routed through your firewall to
>
>> another box then it will travel through the forward table.  The output
>
>> table only handles packets that originated from your firewall and is
>> going out, it does not handle any packets that are getting routed
>> through it.
>>
>>
>>
>> I didn't see you DNAT rule so make sure that is set correctly, an
>> example for routing web would be as follows:
>>
>> iptables -t nat -A PREROUTING -p tcp -d {EXT_IP} --dport 80 -j DNAT
>> --to-destination {WWW_IP}:80
>>
>>
>>
>> when you web server receives the packet the source address (the one it
>
>> will be sending the ACK back to) will still be set to the original
>> source and not the firewall.  So it is important that the web server's
>
>> gateway is set to be your firewall.  If this will not work in your
>> environment then you can put a rule into the postrouting table to SNAT
>
>> the packet, this way the web server will see the packet as coming from
>
>> your firewall and (granted that they are on the same subnet) will
>> return the packet to the firewall.  This is not recommended as all
>> connections to the web server will appear as if it was coming from the
>
>> firewall.
>>
>>
>>
>> Sorry for all the routing mojo but helps to get a understanding of the
>
>> tables for troubleshooting.
>>
>>
>>
>>
>>
>> -A FORWARD -p tcp -m tcp --dport 80 -j LOG --log-prefix "test"
>> --log-level 7
>>
>> I don't know what the -m tcp module is and this might be your problem,
>
>> try removing it and see if it works.
>>
>>
>>
>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>> | Chris Hoeschen - Distributed System Analysts        |
>> | PrimeVest Financial Services                        |
>> | (320) 656-4035 E-Mail: chris.hoeschen@xxxxxxxxxxxxx |
>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>>
>> "Only two things are infinite, the universe and human stupidity, and
>> I'm not sure about the former."
>>  -- Albert Einstein
>> Hippopotomonstrosesquippedaliophobia is the fear of long words
>>
>> -----Original Message-----
>> From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
>> [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Kent Wang
>> Sent: Friday, June 13, 2003 2:25 AM
>> To: 'George Vieira'; netfilter@xxxxxxxxxxxxxxxxxxx
>> Subject: RE: IP forwarding on port 80
>>
>> -->
>>
>> OK, more info. My belief is that the packets are not being DNAT'd
>> properly. I added this to that chain:
>>
>>
>>
>> -A PREROUTING -j LOG --log-prefix "test" --log-level 7
>>
>>
>>
>> And was able to log all the incoming HTTP packets. I then added these
>> two:
>>
>>
>>
>> -A FORWARD -p tcp -m tcp --dport 80 -j LOG --log-prefix "test"
>> --log-level 7
>>
>> -A OUTPUT -p tcp -m tcp --dport 80 -j LOG --log-prefix "test"
>> --log-level 7
>>
>>
>>
>> A properly DNAT'd packet should pass through FORWARD and then OUTPUT,
>> but I found nothing in the log. Is it possible that the DNAT module
>> isn't loaded?
>>
>>
>>
>> IR17;ve done tcpdump and the firewall definitely always receives the
>> internet-incoming message and the web server never receives it.
>>
>>
>>
>> Any clues?
>>
>>
>>
>> -----Original Message-----
>> From: netfilter-admin@xxxxxxxxxxxxxxxxxxx
>> [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of George
>> Vieira
>> Sent: Thursday, June 12, 2003 5:18 PM
>> To: Kent Wang; netfilter@xxxxxxxxxxxxxxxxxxx
>> Subject: RE: IP forwarding on port 80
>>
>>
>>
>> What debugging have you done? tcpdump, iptables logging, anything?
>>
>>
>>
>> Does your web server have a default gateway of the firewall?
>>
>> Thanks,
>>
>>
>>
>> ____________________________________________
>>
>>
>>
>> George Vieira
>> Citadel Computer Systems Pty Ltd  Systems Manager  georgev AT
>> citadelcomputer DOT com DOT au
>>
>>
>>
>> Citadel Computer Systems Pty Ltd
>>
>> Phone : +61 2 9955 2644  HelpDesk: +61 2 9955 2698
>> <http://www.citadelcomputer.com.au/> http://www.citadelcomputer.com.au
>
>> <http://www.citadelcomputer.com.au/>





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux