• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 709
  • Last Modified:

forwarding two UDP ports to multiple IP addresses

I have 1 public static IP going to one sever then from the server I'm using NAT through a second NIC for the rest of my network and on some of my machines I need to be able to recieve on UDP ports 5198 and 5199, I don't want to open up the rest of my network to these port
I am using IPtables and am trying to forward UDP port 5198 and 5199 to 10.10.11.1 - 10.10.11.46 and 10.10.12.1 - 10.10.12.46.
I have no trouble forwarding the ports to any one of these addresses, but when I try to forward them to all the address, I get no error from the IPtables but none of my machines can see that the ports are open.

Any help would be great.
Thank You
0
jducharme23
Asked:
jducharme23
1 Solution
 
pablouruguayCommented:
;paste the rules of iptables for open this ports and forward please
0
 
esanchezvelaCommented:
Hi,

Check on this IPTABLES tutorial (http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERINGOFTABLES point 6.5.2, the use of "--to-destination" flag for the DNAT target.....


iptables -nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.2.2-192.168.2.10

I know, this example refers to a tcp packet but that should be easy to change.

regards,
esv.
0
 
jducharme23Author Commented:
####################################################################################
# You should put this config-file (iptables-firewall.conf) in for example in /etc/ #
# Make sure it's only root readable! -> "chmod 600" & "chown root" it!)            #
####################################################################################

# ----------------------------------------------------------------------------------------------------------------------
# Configuration file for Arno's iptables single- & multi-homed firewall script (rc.iptables)
# (C) Copyright 2001-2003 by Arno van Amersfoort
# Homepage              : http://rocky.molphys.leidenuniv.nl/
# Freshmeat homepage    : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
# Email                 : a r n o v a AT x s 4 a l l DOT n l
# ----------------------------------------------------------------------------------------------------------------------
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
# ----------------------------------------------------------------------------------------------------------------------


############################################
# Required variables for correct operation #
############################################
IPTABLES="/sbin/iptables"         # Location of the iptables-binary (use 'locate iptables' or 'whereis iptables'
                                  # to manually locate it).
EXT_IF="eth0"                     # The external interface that will be protected (and used as internet connection)
                                  # This is probably ppp+ for (A)DSL (for non-transparant (A)DSL routers!)
                                  # otherwise it should be "ethX" (ex. eth0)
EXT_IF_DHCP_IP=0                  # Enable if THIS machines (dynamically) obtains its IP through DHCP (from your ISP)

#################################################################################################################
# These options should (only) be used when you have an ADSL/DSL modem which works with a                        #
# PPPoE (PPP-over-Ethernet) or a PPPoA (PPP-over-ATM) connection (or simular 'ppp' connection).                 #
#                                                                                                               #
# You can check whether this applies for your (hardware) setup with 'ifconfig' (a 'ppp' device is shown).       #
# This means that if your modem is bridging (a transparant (NAT) router) or the network interface the modem is  #
# connected to doesn't have an IP, you should leave the MODEM_xxx options disabled (default)!                   #
#################################################################################################################
#MODEM_IF="eth1"                   # The physical(!) network interface your ADSL modem is connected to (this is not ppp0!)
#MODEM_IF_IP="10.0.0.150"          # (OPTIONAL!) The IP of the network interface (MODEM_IF) your ADSL modem is connected
                                  # to (IP shown for the modem interface (MODEM_IF) in 'ifconfig')
#MODEM_IP="10.0.0.138"             # (OPTIONAL!) The IP of your (A)DSL modem itself

#####################################
# LAN & NAT (masquerading) settings #
#####################################
INT_IF="eth1"                     # Internal network interface or interfaces (multiple(!) interfaces should be
                                  # space seperated). Remark this if you don't have any internal network interfaces.
INTERNAL_NET="10.0.0.0/8"         # Your internal subnet which is connected to the internal interface (INT_IF. For
                                  # multiple interfaces(!) you can either specify multiple subnets here or specify one
                                  # big subnet for all internal interfaces. Note that packets from these subnets are always
                                  # accepted!
NAT=1                             # Enable this if you want to perform NAT for your internal network (LAN)
                                  # (ie, share your internet connection with your internal net(s) connected to INT_IF)
#NAT_STATIC_IP="193.2.1.1"         # (EXPERT SETTING!). In case you would like to use SNAT instead of MASQUERADING then
                                  # uncomment and set the IP here of your static external IP-address.

                                  # (EXPERT SETTING!). Use this variable only if you want specific subnets or hosts to
NAT_INTERNAL_NET="10.10.9.0/24 10.10.10.0/24 10.10.11.0/24 10.10.12.0/24 10.10.13.0/24 10.10.21.0/24 10.10.22.0/24"
                                  # be able to access the internet. When no value is specified, you're whole internal LAN
                                  # will have access. In both cases its only meaningful of course when NAT is enabled.

MODEM_INTERNAL_NET=$INTERNAL_NET  # (EXPERT SETTING!). Here you can specify the hosts/local net(s) that should have
                                  # access to the (A)DSL modem itself (manage modem settings). The default setting
                                  # ($INTERNAL_NET) allows access from everybody on your LAN.
#PROXY_PORT="3128"                 # Enable this if you want to use a transparent proxy for your internal network
                                  # (auto redirect of HTTP (port 80) traffic). You can optionally specify another
                                  # proxy port (the default is set to 3128). Note that transparent proxies don't support
                                  # username/password verification!

####################
# General settings #
####################
MANGLE_TOS=1                      # Enable this if you want TOS mangling (RFC)
SET_MSS=1                         # Set the maximum packet size via the Maximum Segment Size(MSS field)
RESOLV_IPS=0                      # Enable this to resolve names of DNS/TH IP's etc.
USE_IRC=1                         # Enable support for the IRC-protocol
LOOSE_FORWARD=0                   # Forward loosen. Enable this option to allow the use of protocols like UPnP. Note
                                  # that it *could* be less secure.
DROP_PRIVATE_ADDRESSES=1          # Enable this if you want to drop packets originating from a private address. Normally
                                  # this should be enabled(1).
DROP_IANA_RESERVED=0              # Enable this if you want to drop addresses which are registered as reserved by IANA.
                                  # This option exists as the IANA list simply changes too often.
DRDOS_PROTECT=1                   # Protect this machine from being abused for a DRDOS-attack (Distributed Denial Of
                                  # Service attack).
DHCP_BOOTP_NET=""                 # Enter the subnet here you running a DHCP/BOOTP service (server) for on the
                                  # external interface(!). Note that you don't need this for internal networks, as for
                                  # these nets all protocols (also DHCP) are accepted by default.
FREESWAN_NET=""                   # Enter your remote Freeswan subnet(s) here to enable "Virtual IP"
                                  # support for Freeswan. This allows you to have remote Virtual IP's which are in the
                                  # same subnet as yourself, to be routed into your network.

#########################################################################
# Logging options - All logging is rate limited to prevent log flooding #
#########################################################################
BLOCKED_HOST_LOG=0                # Enable logging for explicitly blocked hosts
SCAN_LOG=1                        # Enable logging for various stealth scans (reliable)
POSSIBLE_SCAN_LOG=0               # Enable logging for possible stealth scans (less reliable)
BAD_FLAGS_LOG=0                   # Enable logging for TCP-packets with bad flags
INVALID_PACKET_LOG=0              # Enable logging of invalid packets
RESERVED_NET_LOG=0                # Enable logging of source IP's with reserved addresses
FRAG_LOG=0                        # Enable logging of fragmented packets
DHCP_BROADCAST_LOG=0              # Enable logging of DHCP broadcasts. You probably want to disable(0) this if you
                                  # have a DHCP server in your subnet but don't use it yourself.
LOST_CONNECTION_LOG=0             # Enable logging of (probable) "lost connections". Keep disabled to reduce false alarms
DENY_LOG=1                        # Enable logging for explicitly DENIED packets (ports / protocols)
REJECT_LOG=0                      # Enable logging for explicitly REJECTED packets (ports)
OUTPUT_DENY_LOG=1                 # Enable logging of denied OUTPUT(local) or FORWARD(internal network) connections.
ICMP_DROP_LOG=0                   # Enable logging for dropped ICMP-requests
PRIV_TCP_LOG=0                    # Enable logging of (other) connection attempts to privileged TCP ports
PRIV_UDP_LOG=0                    # Enable logging of (other) connection attempts to privileged UDP ports
UNPRIV_TCP_LOG=0                  # Enable logging of (other) connection attempts to unprivileged TCP ports
UNPRIV_UDP_LOG=0                  # Enable logging of (other) connection attempts to unprivileged UDP ports
OTHER_IP_LOG=0                    # Enable logging of (other) connection attempts to "other-IP"-protocols (non TCP/UDP/ICMP)
ICMP_FLOOD_LOG=0                  # Enable logging for ICMP flooding
#FIREWALL_LOG=/var/log/firewall    # (EXPERT SETTING!). The location of the dedicated firewall log file. When enabled
                                  # the firewall script will also log start/stop etc. info to this file as well.
                                  # Note that in order to make this work, you should also configure syslogd to log
                                  # firewall messages to this file (see LOGELVEL below for further info)
LOGLEVEL=info                     # Current log-level ("info": default kernel syslog level)
                                  # "debug": can be used to log to /var/log/firewall,
                                  # but you have to configure syslogd accordingly (see included syslogd.conf example)

###########################################
# /proc based settings (EXPERT SETTINGS!) #
###########################################
SYN_PROT=1                        # Enable if you want synflood protection (through /proc/.../tcp_syncookies)
REDUCE_DOS_ABILITY=1              # Enable this to reduce the ability of others DOS'ing your machine
ECHO_IGNORE=1                     # Enable if you want to automatically ignore all ICMP echo-requests (IPv4)
                                  # this is very useful in stopping lame DoS-Attacks (aka ping -f's)
LOG_MARTIANS=0                    # Enable if you want to log packets with impossible addresses to the kernel log
ICMP_REDIRECT=0                   # Enable if you want to accept ICMP redirect messages
                                  # Should be set to "0" in case of a router
HIGHER_CONNTRACK=1                # Enable if you want to handle a huge number of simultanteous connections
                                  # (uses more memory but recommended for (high-traffic) servers)
LOOSE_UDP_PATCH=0                 # You may need to enable this to get some internet games to work,
                                  # but note that it's *less* secure
ECN=0                             # Enable ECN (Explicit Congestion Notification) TCP flag
                                  # Disabled by default, as some routers are still not compatible with this
RP_FILTER=1                       # Use the rp_filter to drop connections from non-routable IPs. This should be
                                  # disabled(0) when you for example want to use Freeswan (VPN) to route external private
                                  # addresses into your network.

#################################################################################################################
# (EXPERT SETTING!). Put in the following variable to specify the subnets that are DMZ-classified.              #
# This means that any FORWARD traffic from the external interface (in)to these interfaces is allowed.           #
#################################################################################################################
DMZ_IF=""

#################################################################################################################
# (EXPERT SETTING!). (Other) trusted network interfaces for which ALL IP traffic should be ACCEPTED.            #
# (multiple(!) interfaces should be space seperated). Be warned that anything TO and FROM these interfaces is   #
# allowed (ACCEPTED) so make sure its NOT routable(accessible) from the outside world (internet)!               #
#################################################################################################################
TRUSTED_IF=""

#################################################################################################################
# Put in the following variable which hosts (subnets) you want have full access via your internet (EXT_IF)      #
# connection(!). NOTE: Don't mistake this variable with the one used for internal nets (INT_IF)                 #
#################################################################################################################
FULL_ACCESS_HOSTS=""

#################################################################################################################
# Put in the following variable which DNS servers you use                                                       #
# Only required when you run your own DNS server (for example BIND)                                             #
#################################################################################################################
DNS_SERVERS="198.235.216.130 198.235.216.131"

# These are the root DNS-servers (uncomment lineS(!) below if you want to use them for BIND)
ROOT_DNS_SERVERS="128.63.2.53    192.33.4.12  192.112.36.4 192.5.5.241  128.9.0.107 \
                  198.41.0.10    193.0.14.129 198.32.64.12 202.12.27.33 192.36.148.17 \
                  192.203.230.10 128.8.10.90  198.41.0.4"

#################################################################################################################
# Put in the following variables which ports or IP protocols you want to leave open to the whole world          #
#################################################################################################################
OPEN_TCP="22 10001"
OPEN_UDP="53"
OPEN_IP=""
OPEN_ICMP=0

#################################################################################################################
# Put in the following variables the TCP/UDP ports you want to block for everyone. Also use these variables     #
# if you want to log connection attempts to these ports from everyone (also trusted & full access hosts)        #
#################################################################################################################
DENY_TCP=""
DENY_UDP=""

#################################################################################################################
# Put in the following variables which hosts you want to allow for certain services                             #
# TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP) : host1,host2>port1,port2 host3,host4>port3,port4 ...     #
# IP protocol format (HOST_OPEN_IP)                   : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... #
#################################################################################################################
HOST_OPEN_TCP=""
HOST_OPEN_UDP=""
HOST_OPEN_IP=""
HOST_OPEN_ICMP=""

#################################################################################################################
# Put in the following variables which TCP/UDP ports you want to REJECT (instead of DROP) for certain hosts.    #
# TCP/UDP port format (HOST_REJECT_xxx)               : host1,host2>port1,port2 host3,host4>port3,port4 ...     #
#################################################################################################################
HOST_REJECT_TCP=""
HOST_REJECT_UDP=""

#################################################################################################################
# Put in the following variables which ports you want to block for everyone but NOT logged.                     #
# This is very useful if you have constant probes on the same port(s) over and over again (code red worm)       #
# and don't want your logs flooded with it.                                                                     #
#################################################################################################################
DENY_TCP_NOLOG=""
DENY_UDP_NOLOG=""

#################################################################################################################
# Put in the following variables which TCP/UDP ports or IP protocols you DON'T want to log connection attempts  #
# to from certain hosts.                                                                                        #
# TCP/UDP port format (HOST_xxx_NOLOG)                : host1,host2>port1,port2 host3,host4>port3,port4 ...     #
# IP protocol format (HOST_IP_LOG)                    : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... #
#################################################################################################################
HOST_DENY_TCP_NOLOG=""
HOST_DENY_UDP_NOLOG=""
HOST_DENY_IP_NOLOG=""

#################################################################################################################
# Put in the following variables which hosts you want to deny for certain services                              #
# TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP) : host1,host2>port1,port2 host3,host4>port3,port4 ...     #
#################################################################################################################
HOST_DENY_TCP=""
HOST_DENY_UDP=""
HOST_DENY_IP=""
HOST_DENY_ICMP=""

#################################################################################################################
# Put in the following variables which ports/protocols THIS machine is NOT permitted to connect TO              #
# (remote end-point) via the external (internet) interface. Example of usage is for blocking IRC (tcp 6666:6669)#
#################################################################################################################
DENY_TCP_OUTPUT=""
DENY_UDP_OUTPUT=""
DENY_IP_OUTPUT=""

#################################################################################################################
# Put in the following variables which TCP/UDP ports or IP protocols you want to log connection attempts to     #
# from certain hosts.                                                                                           #
# TCP/UDP port format (LOG_HOST_xxx)                  : host1,host2>port1,port2 host3,host4>port3,port4 ...     #
# IP protocol format (LOG_HOST_IP)                    : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... #
#################################################################################################################
LOG_HOST_TCP=""
LOG_HOST_UDP=""
LOG_HOST_IP=""

#################################################################################################################
# Put in the following variables which TCP/UDP ports or IP protocols you want to log outgoing connections       #
# (attempts) of (packet watch).                                                                                 #
#################################################################################################################
LOG_TCP_OUTPUT=""
LOG_UDP_OUTPUT=""
LOG_IP_OUTPUT=""

#################################################################################################################
# Put in the following variables which TCP/UDP ports or IP protocols you want to log incoming connections       #
# (attempts) of (packet watch).                                                                                 #
#################################################################################################################
LOG_TCP_INPUT=""
LOG_UDP_INPUT=""
LOG_IP_INPUT=""

#################################################################################################################
# NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to an internal client through (D)NAT     #
# TCP/UDP form : "{SRCIP1,SRCIP2,...:}PORT1,PORT2-PORT3,...>DESTIP1{:port} {SRCIP3,...:}PORT3,...>DESTIP2:port}"#
# IP form      : "{SRCIP1,SRCIP2,...:}PROTO1,PROTO2,...>DESTIP1 {SRCIP3:}PROTO3,PROTO4,...>DESTIP2"             #
# NOTE 1: {:port} is optional. Use it to redirect a specific port to a different port on the internal client    #
# NOTE 2: {SRCIPx} is optional. Use it to restrict access to specific source IP addresses                       #
# NOTE 3: Port ranges MUST be written as "PORT1-PORT3" (ie. "1024-1030" would include ports 1024 until 1030)    #
#################################################################################################################
# NAT TCP port-forward(s).
#NAT_TCP_FORWARD="25>10.10.10.2 20,21,80,443,10000>10.10.10.6"
NAT_TCP_FORWARD="20,21,25,80,110,443,445,10000>10.10.10.6"
NAT_UDP_FORWARD="5198-5199>10.10.11.1-10.10.11.46 5198-5199>10.10.12.1-10.10.12.46"    
                                  # TCP/UDP port forward examples:
                                  # Simple      : NAT_xxx_FORWARD="80>192.168.0.10"
                                  # Advanced    : NAT_xxx_FORWARD="20,21>192.168.0.10 1.2.3.4:81>192.168.0.11:80"
NAT_IP_FORWARD=""                 # NAT IP protocol forward(s) (useful for forwarding non-TCP/UDP/ICMP protocols).
                                  # NAT IP protocol forward example: "47,48>192.168.0.10"

#################################################################################################################
# (EXPERT SETTING!) Put in the following variables the TCP/UDP ports or IP protocols TO (remote end-point)      #
# which the MASQUERADED hosts(LAN) are permitted to connect to via the external (internet) interface. When      #
# these variables are empty (""), these hosts are permitted to connect ANY port/protocol.                       #
#################################################################################################################
LAN_ALLOW_TCP=""
LAN_ALLOW_UDP=""
LAN_ALLOW_IP=""

#################################################################################################################
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote end-point) which the MASQUERADED  #
# hosts(LAN) are NOT permitted to connect to via the external (internet) interface. Examples of usage are for   #
# blocking IRC (TCP 6666:6669) for the internal network                                                         #
#################################################################################################################
LAN_DENY_TCP="25"
LAN_DENY_UDP=""
LAN_DENY_IP="25"

#################################################################################################################
# Put in the following variable which hosts you want to block (blackhole, dropping every packet from the host)  #
#################################################################################################################
BLOCK_HOSTS=""

# Location of the BLOCKED HOSTS file (if any). Note that the last line of this file should always contain a
# carriage-return (enter)!
###########################################################################################################
BLOCK_HOSTS_FILE=/etc/iptables-blocked-hosts

# Location of the custom IPTABLES rules file (if any):
######################################################
CUSTOM_RULES=/etc/iptables-custom-rules
0
 
jnielsendotnetCommented:
If you only have one IP address on the outside then you can only forward a given port to one IP address on the inside at any given time.

JN
0
 
ahoffmannCommented:
>  but when I try to forward them to all the address,
that's what masquerading is for, but it works for related packets only
otherwise you've to bracke down you destination to a subnet, for example 10.10.12.0/192 and simply ACCEPT these packets
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now