Re: port forwarding partially working (SOLVED)

["Raul I. Becette" <raulbecette@xxxxxxxxxx>]

Raul I. Becette wrote:

> Cedric Blancher wrote:
>
> > Le mercredi 16 février 2005 à 17:58 -0300, Raul I. Becette a écrit :
> >  
> >
> > > I am having trouble forwarding ports to internal servers.
> > > $IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 1024 -j ACCEPT
> > > $IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1024 -j 
> > > DNAT --to $SERV_BIBL:110
> > > works ok when I telnet $PUB_IF 1024. I got redirected to the POP 
> > > server with no problems.
> > >   
> >
> >
> > I should not.
> >  
> How can I accomplish the port forwarding for the services?
>
> What I want to do is assign ports 1024-1030 to redirect services for 
> $SERV_BIBL, ports 1031-1039 to redirect services for $SERV_ING and so on.
>
> > If you DNAT your connexion to $PUB_IF port 1024 to $SERV_BIBL:110, then
> > your FORWARD chain will see a packet to destined to port 110, not 1024.
> > If you just look at Netfilter architecture, you will see FORWARD chain
> > traversal occurs _after_ PREROUTING traversal. Thus, packets are already
> > NDATed and have their destination modified when hitting FORWARD rules.
> >
> > That's why, in order to accept your DNATed connection, you should have :
> >
> > $IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 110 -j ACCEPT
> >
> > If it works anyway, it means you must have some kind of overlaping rule
> > that accidentally accepts thoses packets.
> >
> > Now, going to your script, there's indeed a rule that accepts
> > destination port 110 whatever their destination is :
> >
> > $IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 110 -j ACCEPT
> >
> > So your stuff works, but that's an accident !
> >
> >
> >  
> Why is an accident?
>
> TIA
Hello list

I solved the problem modifying the FORWARD line adding the state of the 
connection as NEW

$IPTABLES -A FORWARD -p tcp --dport $SERVICE_PORT -m state --state NEW 
-j ACCEPT

and deleted the FORWARD lines that accepted connections with --dport 
10nn. The PREROUTING chain takes care of redirecting that port.

That part of my script now is:

# Abro el puerto de smtp para enviar los correos desde unpata hacia a La 
Gran Bestia POP
$IPTABLES -A FORWARD -i $PUB_IF -s $LAN_SMTP -p tcp --dport 25 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 25 -j DNAT --to 
$LAN_POP:25

# Abro puertos para servicios accesibles desde Internet
$IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 21 -m state --state NEW 
-j ACCEPT

# POP a cuentas unpata.edu.ar y unp.edu.ar
$IPTABLES -A FORWARD -i $PUB_IF -p tcp --dport 110 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 110 -j DNAT 
--to $LAN_POP:110

# Servicios biblioteca.unp.edu.ar
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1024 -j DNAT 
--to $SERV_BIBL:21
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1025 -j DNAT 
--to $SERV_BIBL:25
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1026 -j DNAT 
--to $SERV_BIBL:110

# Servicios ing.unp.edu.ar
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1030 -j DNAT 
--to $SERV_ING:21
$IPTABLES -t nat -A PREROUTING -i $PUB_IF -p tcp --dport 1031 -j DNAT 
--to $SERV_ING:110


I used information from the "slow ftp" thread and wondered myself "what 
if I specify the state of the connection?"
It worked.

Thanks a lot for the help

--


-----------------------------------------------------------------
Raul I. Becette
E-mail: raulbecette@xxxxxxxxxx
Area Redes y Telecomunicaciones
Univ. Nac. de la Patagonia San Juan Bosco
Ciudad Universitaria - Km.4.
9000 - Comodoro Rivadavia - Chubut
Tel/Fax : (0297) - 4550073
------------------------------------------------------------------