Hello,
First, I would like to say that I have searched really long time through
historical list archive of netfilter and other forums but I was not able
to find the functionality I was searching for!
I have found only this “port forwarding through localhost ”
http://marc.info/?t=116984915600001&r=1&w=2 but it is not exactly that!
Here is the situation:
Host A (Germany - my home laptop – Windows XP)
Router (Bulgaria - public ip ) – Linux openSuse 11.1 Xen Linux
clients-pools 2.6.27.29-0.1-xen #1 SMP 2009-08-15 17:53:59 +0200 x86_64
x86_64 x86_64 GNU/Linux
Host B (192.168.1.10 which is a Xen virtual host installed on a Router
itself - Windows XP )Host B can ping any public ip address and can
reslov dns names.
The Router have 2 open port:
55431 openSSH
54322 forwarded to HostB - 192.168.1.10 to port 3389 for remote desktop!
Now, the port forwarding is working just great, I can reach the remote
desktop of Host B from Host A, but I want to close that port and let
everything be forwarded over a ssh tunnel. I have done this for squid
and or apache which are on Router itself and it works just perfectly.
But when closed the port 54322 I tried to the same for the for the host
B than I run into several problems.
Putty tunnel, forwards the port 54322 on Router to my localhost (HostA)
port 60000
So the remote desktop from HostA is done like this: localhsot:60000
which forwards the traffic no to eth1 but to the local loop (lo)
-A PREROUTING -d 1.1.1.1 /32 -i eth1 -p tcp -m tcp --dport 54322 -j DNAT
--to-destination 192.168.1.10:3389
On the router side I can see that tcp segment coming in the localloop
with tcpdump
router:~ # tcpdump -vvv -i lo port 3389
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
12:52:26.348931 IP (tos 0x0, ttl 64, id 26881, offset 0, flags [DF],
proto TCP (6), length 60) localhost.46449 > localhost.ms-wbt-server: S,
cksum 0x21d4 (correct), 463172374:463172374(0) win 32792 <mss
16396,sackOK,timestamp 37886487 0,nop,wscale 7>
12:52:26.348954 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
TCP (6), length 40) localhost.ms-wbt-server > localhost.46449: R, cksum
0x606d (correct), 0:0(0) ack 463172375 win 0
My question is what rule should I write in order to redirect this packet
to the host 192.168.1.10 on port 3389 and catch that paket on the way
back. I do not want to use socat(user space) for this although it is
working.
I have enclosed the output of my iptables-save > firewall command below:
just have changed my public ip to 1.1.1.1 and the output of ifconfig
of the router
# Generated by iptables-save v1.4.2-rc1 on Wed Oct 14 10:27:35 2009
*mangle
:PREROUTING ACCEPT [125872:58570748]
:INPUT ACCEPT [64138:10436284]
:FORWARD ACCEPT [61857:48161272]
:OUTPUT ACCEPT [60175:25422321]
:POSTROUTING ACCEPT [121952:73579737]
COMMIT
# Completed on Wed Oct 14 10:27:35 2009
# Generated by iptables-save v1.4.2-rc1 on Wed Oct 14 10:27:35 2009
*nat
:PREROUTING ACCEPT [2178:203421]
:POSTROUTING ACCEPT [3440:199081]
:OUTPUT ACCEPT [9561:742897]
-A PREROUTING -d 1.1.1.1 /32 -i eth1 -p tcp -m tcp --dport 54322 -j DNAT
--to-destination 192.168.1.10:3389
-A PREROUTING -d 1.1.1.1 /32 -i eth0 -p tcp -m tcp --dport 54322 -j DNAT
--to-destination 192.168.1.10:3389
-A PREROUTING -d 1.1.1.1 /32 -i tap5_0 -p tcp -m tcp --dport 54322 -j
DNAT --to-destination 192.168.1.10:3389
-A PREROUTING -d 1.1.1.1 /32 -i vif5_0 -p tcp -m tcp --dport 54322 -j
DNAT --to-destination 192.168.1.10:3389
-A POSTROUTING -o eth1 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o tap5_0 -j MASQUERADE
-A POSTROUTING -o vif5_0 -j MASQUERADE
COMMIT
# Completed on Wed Oct 14 10:27:35 2009
# Generated by iptables-save v1.4.2-rc1 on Wed Oct 14 10:27:35 2009
*raw
:PREROUTING ACCEPT [315487:154134329]
:OUTPUT ACCEPT [221189:110128847]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Wed Oct 14 10:27:35 2009
# Generated by iptables-save v1.4.2-rc1 on Wed Oct 14 10:27:35 2009
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i br0 -j input_int
-A INPUT -i eth1 -j input_ext
-A INPUT -i eth0 -j input_ext
-A INPUT -i tap5_0 -j input_ext
-A INPUT -i vif5_0 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET
" --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS
--clamp-mss-to-pmtu
-A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
-A FORWARD -i br0 -j forward_int
-A FORWARD -i eth1 -j forward_ext
-A FORWARD -i eth0 -j forward_ext
-A FORWARD -i tap5_0 -j forward_ext
-A FORWARD -i vif5_0 -j forward_ext
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix
"SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR "
--log-tcp-options --log-ip-options
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 0 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 3 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 11 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 12 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 14 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 18 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 3/2 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 5 -j ACCEPT
-A forward_ext -i eth1 -o br0 -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A forward_ext -i eth0 -o br0 -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A forward_ext -i tap5_0 -o br0 -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A forward_ext -i vif5_0 -o br0 -m state --state RELATED,ESTABLISHED -j
ACCEPT
-A forward_ext -d 192.168.1.10/32 -p tcp -m limit --limit 3/min -m tcp
--dport 3389 -m state --state NEW -j LOG --log-prefix
"SFW2-FWDext-ACC-REVMASQ " --log-tcp-options --log-ip-options
-A forward_ext -d 192.168.1.10/32 -p tcp -m tcp --dport 3389 -j ACCEPT
-A forward_ext -s 192.168.1.10/32 -p tcp -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -m limit --limit 3/min -m pkttype --pkt-type multicast -j
LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options
--log-ip-options
-A forward_ext -m pkttype --pkt-type multicast -j DROP
-A forward_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags
FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT "
--log-tcp-options --log-ip-options
-A forward_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix
"SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p udp -m limit --limit 3/min -j LOG --log-prefix
"SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -m limit --limit 3/min -m state --state INVALID -j LOG
--log-prefix "SFW2-FWDext-DROP-DEFLT-INV " --log-tcp-options
--log-ip-options
-A forward_ext -j DROP
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 0 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 3 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 11 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 12 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 14 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 18 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 3/2 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp
--icmp-type 5 -j ACCEPT
-A forward_int -i br0 -o eth1 -m state --state NEW,RELATED,ESTABLISHED
-j ACCEPT
-A forward_int -i br0 -o eth0 -m state --state NEW,RELATED,ESTABLISHED
-j ACCEPT
-A forward_int -i br0 -o tap5_0 -m state --state NEW,RELATED,ESTABLISHED
-j ACCEPT
-A forward_int -i br0 -o vif5_0 -m state --state NEW,RELATED,ESTABLISHED
-j ACCEPT
-A forward_int -d 192.168.1.10/32 -p tcp -m limit --limit 3/min -m tcp
--dport 3389 -m state --state NEW -j LOG --log-prefix
"SFW2-FWDint-ACC-REVMASQ " --log-tcp-options --log-ip-options
-A forward_int -d 192.168.1.10/32 -p tcp -m tcp --dport 3389 -j ACCEPT
-A forward_int -s 192.168.1.10/32 -p tcp -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A forward_int -m limit --limit 3/min -m pkttype --pkt-type multicast -j
LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options
--log-ip-options
-A forward_int -m pkttype --pkt-type multicast -j DROP
-A forward_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags
FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT "
--log-tcp-options --log-ip-options
-A forward_int -p icmp -m limit --limit 3/min -j LOG --log-prefix
"SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p udp -m limit --limit 3/min -j LOG --log-prefix
"SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -m limit --limit 3/min -m state --state INVALID -j LOG
--log-prefix "SFW2-FWDint-DROP-DEFLT-INV " --log-tcp-options
--log-ip-options
-A forward_int -j reject_func
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 54321
--tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP
" --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 54321 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 54322
--tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP
" --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 54322 -j ACCEPT
-A input_ext -p udp -m udp --dport 54321 -j ACCEPT
-A input_ext -m limit --limit 3/min -m pkttype --pkt-type multicast -j
LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options
--log-ip-options
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags
FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT "
--log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix
"SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -j LOG --log-prefix
"SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -m limit --limit 3/min -m state --state INVALID -j LOG
--log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options
--log-ip-options
-A input_ext -j DROP
-A input_int -m pkttype --pkt-type broadcast -j DROP
-A input_int -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_int -p tcp -m limit --limit 3/min -m tcp --dport 3389
--tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-TCP
" --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 3389 -j ACCEPT
-A input_int -p tcp -m limit --limit 3/min -m tcp --dport 443
--tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-TCP
" --log-tcp-options --log-ip-options
-A input_int -p tcp -m tcp --dport 443 -j ACCEPT
-A input_int -p udp -m udp --dport 3389 -j ACCEPT
-A input_int -p udp -m udp --dport 443 -j ACCEPT
-A input_int -m limit --limit 3/min -m pkttype --pkt-type multicast -j
LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options
--log-ip-options
-A input_int -m pkttype --pkt-type multicast -j DROP
-A input_int -p tcp -m limit --limit 3/min -m tcp --tcp-flags
FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-DROP-DEFLT "
--log-tcp-options --log-ip-options
-A input_int -p icmp -m limit --limit 3/min -j LOG --log-prefix
"SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_int -p udp -m limit --limit 3/min -j LOG --log-prefix
"SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_int -m limit --limit 3/min -m state --state INVALID -j LOG
--log-prefix "SFW2-INint-DROP-DEFLT-INV " --log-tcp-options
--log-ip-options
-A input_int -j reject_func
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Wed Oct 14 10:27:35 2009
router:~ # ifconfig
br0 Link encap:Ethernet HWaddr 00:17:31:66:E0:96
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::217:31ff:fe66:e096/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:33617 errors:0 dropped:0 overruns:0 frame:0
TX packets:39485 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9899695 (9.4 Mb) TX bytes:40149850 (38.2 Mb)
eth0 Link encap:Ethernet HWaddr 00:17:31:66:E0:96
UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:23 Base address:0xd000
eth1 Link encap:Ethernet HWaddr 00:C0:26:2B:FD:BF
inet addr:1.1.1.1 Bcast:1.1.1.63 Mask:255.255.255.224
inet6 addr: fe80::2c0:26ff:fe2b:fdbf/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:242550 errors:0 dropped:0 overruns:0 frame:0
TX packets:201341 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:109289170 (104.2 Mb) TX bytes:84870831 (80.9 Mb)
Interrupt:17 Base address:0xa000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:72536 errors:0 dropped:0 overruns:0 frame:0
TX packets:72536 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:40991838 (39.0 Mb) TX bytes:40991838 (39.0 Mb)
tap5.0 Link encap:Ethernet HWaddr AA:95:EA:BF:C1:5B
inet6 addr: fe80::a895:eaff:febf:c15b/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:32308 errors:0 dropped:0 overruns:0 frame:0
TX packets:38395 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:10396937 (9.9 Mb) TX bytes:40082135 (38.2 Mb)
vif5.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:2930 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Can anyone help me with this,
Konstantin
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html