Forwarding

selsted
selsted used Ask the Experts™
on
My system is working like this.
I have a Linux (RedHat 7.3) runnig as firewall. I have two netcards installed.
eth0 has ip 10.0.0.1.
eth1 has ip 192.168.2.1.
I make a dialup to an external modem om 10.0.0.138, and thereby gets ppp0 with ip 62.X.Y.Z (external)


Making an ifconfig reveals this:

eth0      Link encap:Ethernet  HWaddr 00:50:04:BA:01:9E  
          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3451 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3587 errors:0 dropped:0 overruns:0 carrier:2
          collisions:0 txqueuelen:100
          RX bytes:536982 (524.3 Kb)  TX bytes:347358 (339.2 Kb)
          Interrupt:3 Base address:0xd000

eth1      Link encap:Ethernet  HWaddr 00:07:95:32:F4:B8  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3075 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1146 errors:0 dropped:0 overruns:0 carrier:0
          collisions:4 txqueuelen:100
          RX bytes:321602 (314.0 Kb)  TX bytes:451448 (440.8 Kb)
          Interrupt:3 Base address:0xd400

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:11 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:768 (768.0 b)  TX bytes:768 (768.0 b)

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:62.X.Y.Z  P-t-P:62.A.B.C  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:878 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2245 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:339276 (331.3 Kb)  TX bytes:149600 (146.0 Kb)

ppp0 has a different ip on the inet, compared to the P-t-P.

While my gateway is working (look below), I get the following when executing route:

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
62.A.B.C        *               255.255.255.255 UH    0      0        0 ppp0
255.255.255.255 *               255.255.255.255 UH    0      0        0 eth1
10.0.0.0        *               255.255.255.0   U     0      0        0 eth0
192.168.2.0     *               255.255.255.0   U     0      0        0 eth1
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         62.A.B.C        0.0.0.0         UG    0      0        0 ppp0


So what I need, is the following. On my internal network (162.168.2.*), I need to forward&masq all packets out to the internet. This work at the moment.
Furthermore I need to forward some udp and tcp packets from outside to a machine inside, on a specific port. Lets say that I need to forward udp port 5000 from the outside to ip 192.168.2.100. So that if a connection to 62.X.Y.Z:5000 is made, it should end at 192.168.2.100.


So here is what I got.
Starting the gateway, I do the following (and this work):

echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.2.0/24 -j MASQ

(I'm not sure if it is important, but I have also set up an input&masq with the X program called firewall. Since this work, I wont detail it.)


So after trying to find out how I forwarded the external on a specific udp or tcp port to internal, I came up with the example that I shoule do this:
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 5000 -j DNAT --to 192.168.2.100:5000

This resulted in this error message:
/lib/modules/2.4.18-18.7.x/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters.

Searching on this error I found out that all I should do was this:
service ipchains stop
chkconfig --level 345 ipchains off
rmmod ipchains
insmod ip_tables
chkconfig --level 345 iptables on

And this of course closed down my gateway.


Now I am about to give up, what should I do to get this to work?

Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2005

Commented:
You can't use both ipchains and iptables. Everything has to be done with one or the other. Since you have both available, it would be better to do everything with iptables since it is more flexible and includes stateful inspection. To use iptables, it will be necessary to make sure that ipchains never starts. Do that by:

chkconfig --level 2345 ipchains off

and reboot. It is possible to stop ipchains and force an unload of its modules, which allows iptables to be used without a reboot.

Author

Commented:
How do i then do these with iptables?

/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -s 192.168.2.0/24 -j MASQ
Gabriel OrozcoSolution Architect

Commented:
Per your configuration, this could help:

# I think you have DSL. if it's already starting, then
# delete the "adsl-start" line:
adsl-start

#Activate IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

ipt="/usr/local/sbin/iptables"
outside=ppp0
inside=eth1
other=eth0

$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
$ipt -P FORWARD DROP

$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i $inside -j ACCEPT
$ipt -A OUTPUT -i $inside -j ACCEPT
$ipt -A FORWARD -i $inside -j ACCEPT

$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Accept at least traffic to ssh into this host.
$ipt -A INPUT -p tcp --dport 22 -j ACCEPT
#now the nat thing.
$ipt -t nat -A POSTROUTING -o $outside -j MASQUERADE

---
This script will not forward anything from eth0 to eth1.
as you asked to be, but forwards (it does not nat) from eth1 to eth0, and NAT from eth1 to ppp0, any ip they could have.
OWASP: Avoiding Hacker Tricks

Learn to build secure applications from the mindset of the hacker and avoid being exploited.

Commented:
I am rather confuse regarding ur configuration there, a few things i want to clarify, the first thing is are you trying to setup a internet connection with a fixed IP? then i think u should perform a IP alliasing and also Network address translation.
Gabriel OrozcoSolution Architect

Commented:
ups! sorry! I forgot to tell you how to do the prerouting so you can offer services from an internal computer to the internet (this does not work with ftp, however)

$ipt -t nat -A PREROUTING -i ppp0 -p udp --dport 5000  -j DNAT --to 192.168.2.100

you must also open the port from outside in the firewall, like this:
$ipt -A INPUT -p udp --dport 5000 -j ACCEPT

and that's all.

Author

Commented:
I connect to the internet via an externel ADSL-modem. The modem has it own internal and external IP. The external is given after dialing up. This external IP is the same from my provider every time I dial up. After dialing up, I connect with a program I found on the net called PPTP.
I connect by doing this:

pptp 10.0.0.138 debug remotename 10.0.0.138 name <name>
sleep 10
route add default gw 62.A.B.C dev ppp0

Futhermore I need to have added entries in /etc/ppp/pap-secrets for the name <name>


Redimido:
iptables -A OUTPUT -i eht1 -j ACCEPT
resulted in an error, -i can not be used with OUTPUT.
So I skipped this. After completing the rest, all network was down:

[root@gold root]# ping localhost
PING 127.0.0.1 (127.0.0.1) from 127.0.0.1 : 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 0 received, 100% loss, time 2000ms
Solution Architect
Commented:
1.- You need to get the scripts from roaring penguin for
    DSL. they do all the trick.
    for RedHat, I believe they're there, so type:
    adsl-setup   to input all your info
    adsl-start   to start your connection.
    All routes and everything will be updated by the script
    very convenient!

2.- Sorry. I write the last rules without check. let me
    put like this:

# I think you have DSL. if it's already starting, then
# delete the "adsl-start" line:
adsl-start

#Activate IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

ipt="/usr/local/sbin/iptables"
outside=ppp0
inside=eth1
other=eth0

$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -P INPUT DROP
$ipt -P OUTPUT ACCEPT
$ipt -P FORWARD DROP

$ipt -A INPUT -i lo -j ACCEPT
$ipt -A INPUT -i $inside -j ACCEPT
$ipt -A FORWARD -i $inside -j ACCEPT

$ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Accept at least traffic to ssh into this host.
$ipt -A INPUT -p tcp --dport 22 -j ACCEPT
#now the nat thing.
$ipt -t nat -A POSTROUTING -o $outside -j MASQUERADE

--
Output is useful when you want to not respond anything to a site or network in special. so, lease let the script as posted now.

you will notice that at the top is a adsl-start command. this should be enough to connect you to the internet
but as any ppp service, you should not have a fixed gateway predefined. when you do not have a predefined gateway, this kind of scripts work better.
AFAIK, port-forwarding does not work with ipchains, you need iptables (how to enable see previous comments)

iptables -A PREROUTING -t nat -p udp --sport 5000 -j DNAT -i ppp0 --to 192.168.128.100

this is, slighly changed, what Redimondo already said. You don't need a INPUT rule for it.
You should put such a rule in your ip-up script.

Author

Commented:
Thanks for the help!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial