?
Solved

forwarding two UDP ports to multiple IP addresses

Posted on 2005-03-17
5
Medium Priority
?
662 Views
Last Modified: 2012-05-05
I have 1 public static IP going to one sever then from the server I'm using NAT through a second NIC for the rest of my network and on some of my machines I need to be able to recieve on UDP ports 5198 and 5199, I don't want to open up the rest of my network to these port
I am using IPtables and am trying to forward UDP port 5198 and 5199 to 10.10.11.1 - 10.10.11.46 and 10.10.12.1 - 10.10.12.46.
I have no trouble forwarding the ports to any one of these addresses, but when I try to forward them to all the address, I get no error from the IPtables but none of my machines can see that the ports are open.

Any help would be great.
Thank You
0
Comment
Question by:jducharme23
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 14

Expert Comment

by:pablouruguay
ID: 13567315
;paste the rules of iptables for open this ports and forward please
0
 
LVL 3

Accepted Solution

by:
esanchezvela earned 1500 total points
ID: 13567440
Hi,

Check on this IPTABLES tutorial (http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERINGOFTABLES point 6.5.2, the use of "--to-destination" flag for the DNAT target.....


iptables -nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination 192.168.2.2-192.168.2.10

I know, this example refers to a tcp packet but that should be easy to change.

regards,
esv.
0
 

Author Comment

by:jducharme23
ID: 13568102
####################################################################################
# You should put this config-file (iptables-firewall.conf) in for example in /etc/ #
# Make sure it's only root readable! -> "chmod 600" & "chown root" it!)            #
####################################################################################

# ----------------------------------------------------------------------------------------------------------------------
# Configuration file for Arno's iptables single- & multi-homed firewall script (rc.iptables)
# (C) Copyright 2001-2003 by Arno van Amersfoort
# Homepage              : http://rocky.molphys.leidenuniv.nl/
# Freshmeat homepage    : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
# Email                 : a r n o v a AT x s 4 a l l DOT n l
# ----------------------------------------------------------------------------------------------------------------------
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
# ----------------------------------------------------------------------------------------------------------------------


############################################
# Required variables for correct operation #
############################################
IPTABLES="/sbin/iptables"         # Location of the iptables-binary (use 'locate iptables' or 'whereis iptables'
                                  # to manually locate it).
EXT_IF="eth0"                     # The external interface that will be protected (and used as internet connection)
                                  # This is probably ppp+ for (A)DSL (for non-transparant (A)DSL routers!)
                                  # otherwise it should be "ethX" (ex. eth0)
EXT_IF_DHCP_IP=0                  # Enable if THIS machines (dynamically) obtains its IP through DHCP (from your ISP)

#################################################################################################################
# These options should (only) be used when you have an ADSL/DSL modem which works with a                        #
# PPPoE (PPP-over-Ethernet) or a PPPoA (PPP-over-ATM) connection (or simular 'ppp' connection).                 #
#                                                                                                               #
# You can check whether this applies for your (hardware) setup with 'ifconfig' (a 'ppp' device is shown).       #
# This means that if your modem is bridging (a transparant (NAT) router) or the network interface the modem is  #
# connected to doesn't have an IP, you should leave the MODEM_xxx options disabled (default)!                   #
#################################################################################################################
#MODEM_IF="eth1"                   # The physical(!) network interface your ADSL modem is connected to (this is not ppp0!)
#MODEM_IF_IP="10.0.0.150"          # (OPTIONAL!) The IP of the network interface (MODEM_IF) your ADSL modem is connected
                                  # to (IP shown for the modem interface (MODEM_IF) in 'ifconfig')
#MODEM_IP="10.0.0.138"             # (OPTIONAL!) The IP of your (A)DSL modem itself

#####################################
# LAN & NAT (masquerading) settings #
#####################################
INT_IF="eth1"                     # Internal network interface or interfaces (multiple(!) interfaces should be
                                  # space seperated). Remark this if you don't have any internal network interfaces.
INTERNAL_NET="10.0.0.0/8"         # Your internal subnet which is connected to the internal interface (INT_IF. For
                                  # multiple interfaces(!) you can either specify multiple subnets here or specify one
                                  # big subnet for all internal interfaces. Note that packets from these subnets are always
                                  # accepted!
NAT=1                             # Enable this if you want to perform NAT for your internal network (LAN)
                                  # (ie, share your internet connection with your internal net(s) connected to INT_IF)
#NAT_STATIC_IP="193.2.1.1"         # (EXPERT SETTING!). In case you would like to use SNAT instead of MASQUERADING then
                                  # uncomment and set the IP here of your static external IP-address.

                                  # (EXPERT SETTING!). Use this variable only if you want specific subnets or hosts to
NAT_INTERNAL_NET="10.10.9.0/24 10.10.10.0/24 10.10.11.0/24 10.10.12.0/24 10.10.13.0/24 10.10.21.0/24 10.10.22.0/24"
                                  # be able to access the internet. When no value is specified, you're whole internal LAN
                                  # will have access. In both cases its only meaningful of course when NAT is enabled.

MODEM_INTERNAL_NET=$INTERNAL_NET  # (EXPERT SETTING!). Here you can specify the hosts/local net(s) that should have
                                  # access to the (A)DSL modem itself (manage modem settings). The default setting
                                  # ($INTERNAL_NET) allows access from everybody on your LAN.
#PROXY_PORT="3128"                 # Enable this if you want to use a transparent proxy for your internal network
                                  # (auto redirect of HTTP (port 80) traffic). You can optionally specify another
                                  # proxy port (the default is set to 3128). Note that transparent proxies don't support
                                  # username/password verification!

####################
# General settings #
####################
MANGLE_TOS=1                      # Enable this if you want TOS mangling (RFC)
SET_MSS=1                         # Set the maximum packet size via the Maximum Segment Size(MSS field)
RESOLV_IPS=0                      # Enable this to resolve names of DNS/TH IP's etc.
USE_IRC=1                         # Enable support for the IRC-protocol
LOOSE_FORWARD=0                   # Forward loosen. Enable this option to allow the use of protocols like UPnP. Note
                                  # that it *could* be less secure.
DROP_PRIVATE_ADDRESSES=1          # Enable this if you want to drop packets originating from a private address. Normally
                                  # this should be enabled(1).
DROP_IANA_RESERVED=0              # Enable this if you want to drop addresses which are registered as reserved by IANA.
                                  # This option exists as the IANA list simply changes too often.
DRDOS_PROTECT=1                   # Protect this machine from being abused for a DRDOS-attack (Distributed Denial Of
                                  # Service attack).
DHCP_BOOTP_NET=""                 # Enter the subnet here you running a DHCP/BOOTP service (server) for on the
                                  # external interface(!). Note that you don't need this for internal networks, as for
                                  # these nets all protocols (also DHCP) are accepted by default.
FREESWAN_NET=""                   # Enter your remote Freeswan subnet(s) here to enable "Virtual IP"
                                  # support for Freeswan. This allows you to have remote Virtual IP's which are in the
                                  # same subnet as yourself, to be routed into your network.

#########################################################################
# Logging options - All logging is rate limited to prevent log flooding #
#########################################################################
BLOCKED_HOST_LOG=0                # Enable logging for explicitly blocked hosts
SCAN_LOG=1                        # Enable logging for various stealth scans (reliable)
POSSIBLE_SCAN_LOG=0               # Enable logging for possible stealth scans (less reliable)
BAD_FLAGS_LOG=0                   # Enable logging for TCP-packets with bad flags
INVALID_PACKET_LOG=0              # Enable logging of invalid packets
RESERVED_NET_LOG=0                # Enable logging of source IP's with reserved addresses
FRAG_LOG=0                        # Enable logging of fragmented packets
DHCP_BROADCAST_LOG=0              # Enable logging of DHCP broadcasts. You probably want to disable(0) this if you
                                  # have a DHCP server in your subnet but don't use it yourself.
LOST_CONNECTION_LOG=0             # Enable logging of (probable) "lost connections". Keep disabled to reduce false alarms
DENY_LOG=1                        # Enable logging for explicitly DENIED packets (ports / protocols)
REJECT_LOG=0                      # Enable logging for explicitly REJECTED packets (ports)
OUTPUT_DENY_LOG=1                 # Enable logging of denied OUTPUT(local) or FORWARD(internal network) connections.
ICMP_DROP_LOG=0                   # Enable logging for dropped ICMP-requests
PRIV_TCP_LOG=0                    # Enable logging of (other) connection attempts to privileged TCP ports
PRIV_UDP_LOG=0                    # Enable logging of (other) connection attempts to privileged UDP ports
UNPRIV_TCP_LOG=0                  # Enable logging of (other) connection attempts to unprivileged TCP ports
UNPRIV_UDP_LOG=0                  # Enable logging of (other) connection attempts to unprivileged UDP ports
OTHER_IP_LOG=0                    # Enable logging of (other) connection attempts to "other-IP"-protocols (non TCP/UDP/ICMP)
ICMP_FLOOD_LOG=0                  # Enable logging for ICMP flooding
#FIREWALL_LOG=/var/log/firewall    # (EXPERT SETTING!). The location of the dedicated firewall log file. When enabled
                                  # the firewall script will also log start/stop etc. info to this file as well.
                                  # Note that in order to make this work, you should also configure syslogd to log
                                  # firewall messages to this file (see LOGELVEL below for further info)
LOGLEVEL=info                     # Current log-level ("info": default kernel syslog level)
                                  # "debug": can be used to log to /var/log/firewall,
                                  # but you have to configure syslogd accordingly (see included syslogd.conf example)

###########################################
# /proc based settings (EXPERT SETTINGS!) #
###########################################
SYN_PROT=1                        # Enable if you want synflood protection (through /proc/.../tcp_syncookies)
REDUCE_DOS_ABILITY=1              # Enable this to reduce the ability of others DOS'ing your machine
ECHO_IGNORE=1                     # Enable if you want to automatically ignore all ICMP echo-requests (IPv4)
                                  # this is very useful in stopping lame DoS-Attacks (aka ping -f's)
LOG_MARTIANS=0                    # Enable if you want to log packets with impossible addresses to the kernel log
ICMP_REDIRECT=0                   # Enable if you want to accept ICMP redirect messages
                                  # Should be set to "0" in case of a router
HIGHER_CONNTRACK=1                # Enable if you want to handle a huge number of simultanteous connections
                                  # (uses more memory but recommended for (high-traffic) servers)
LOOSE_UDP_PATCH=0                 # You may need to enable this to get some internet games to work,
                                  # but note that it's *less* secure
ECN=0                             # Enable ECN (Explicit Congestion Notification) TCP flag
                                  # Disabled by default, as some routers are still not compatible with this
RP_FILTER=1                       # Use the rp_filter to drop connections from non-routable IPs. This should be
                                  # disabled(0) when you for example want to use Freeswan (VPN) to route external private
                                  # addresses into your network.

#################################################################################################################
# (EXPERT SETTING!). Put in the following variable to specify the subnets that are DMZ-classified.              #
# This means that any FORWARD traffic from the external interface (in)to these interfaces is allowed.           #
#################################################################################################################
DMZ_IF=""

#################################################################################################################
# (EXPERT SETTING!). (Other) trusted network interfaces for which ALL IP traffic should be ACCEPTED.            #
# (multiple(!) interfaces should be space seperated). Be warned that anything TO and FROM these interfaces is   #
# allowed (ACCEPTED) so make sure its NOT routable(accessible) from the outside world (internet)!               #
#################################################################################################################
TRUSTED_IF=""

#################################################################################################################
# Put in the following variable which hosts (subnets) you want have full access via your internet (EXT_IF)      #
# connection(!). NOTE: Don't mistake this variable with the one used for internal nets (INT_IF)                 #
#################################################################################################################
FULL_ACCESS_HOSTS=""

#################################################################################################################
# Put in the following variable which DNS servers you use                                                       #
# Only required when you run your own DNS server (for example BIND)                                             #
#################################################################################################################
DNS_SERVERS="198.235.216.130 198.235.216.131"

# These are the root DNS-servers (uncomment lineS(!) below if you want to use them for BIND)
ROOT_DNS_SERVERS="128.63.2.53    192.33.4.12  192.112.36.4 192.5.5.241  128.9.0.107 \
                  198.41.0.10    193.0.14.129 198.32.64.12 202.12.27.33 192.36.148.17 \
                  192.203.230.10 128.8.10.90  198.41.0.4"

#################################################################################################################
# Put in the following variables which ports or IP protocols you want to leave open to the whole world          #
#################################################################################################################
OPEN_TCP="22 10001"
OPEN_UDP="53"
OPEN_IP=""
OPEN_ICMP=0

#################################################################################################################
# Put in the following variables the TCP/UDP ports you want to block for everyone. Also use these variables     #
# if you want to log connection attempts to these ports from everyone (also trusted & full access hosts)        #
#################################################################################################################
DENY_TCP=""
DENY_UDP=""

#################################################################################################################
# Put in the following variables which hosts you want to allow for certain services                             #
# TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP) : host1,host2>port1,port2 host3,host4>port3,port4 ...     #
# IP protocol format (HOST_OPEN_IP)                   : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... #
#################################################################################################################
HOST_OPEN_TCP=""
HOST_OPEN_UDP=""
HOST_OPEN_IP=""
HOST_OPEN_ICMP=""

#################################################################################################################
# Put in the following variables which TCP/UDP ports you want to REJECT (instead of DROP) for certain hosts.    #
# TCP/UDP port format (HOST_REJECT_xxx)               : host1,host2>port1,port2 host3,host4>port3,port4 ...     #
#################################################################################################################
HOST_REJECT_TCP=""
HOST_REJECT_UDP=""

#################################################################################################################
# Put in the following variables which ports you want to block for everyone but NOT logged.                     #
# This is very useful if you have constant probes on the same port(s) over and over again (code red worm)       #
# and don't want your logs flooded with it.                                                                     #
#################################################################################################################
DENY_TCP_NOLOG=""
DENY_UDP_NOLOG=""

#################################################################################################################
# Put in the following variables which TCP/UDP ports or IP protocols you DON'T want to log connection attempts  #
# to from certain hosts.                                                                                        #
# TCP/UDP port format (HOST_xxx_NOLOG)                : host1,host2>port1,port2 host3,host4>port3,port4 ...     #
# IP protocol format (HOST_IP_LOG)                    : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... #
#################################################################################################################
HOST_DENY_TCP_NOLOG=""
HOST_DENY_UDP_NOLOG=""
HOST_DENY_IP_NOLOG=""

#################################################################################################################
# Put in the following variables which hosts you want to deny for certain services                              #
# TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP) : host1,host2>port1,port2 host3,host4>port3,port4 ...     #
#################################################################################################################
HOST_DENY_TCP=""
HOST_DENY_UDP=""
HOST_DENY_IP=""
HOST_DENY_ICMP=""

#################################################################################################################
# Put in the following variables which ports/protocols THIS machine is NOT permitted to connect TO              #
# (remote end-point) via the external (internet) interface. Example of usage is for blocking IRC (tcp 6666:6669)#
#################################################################################################################
DENY_TCP_OUTPUT=""
DENY_UDP_OUTPUT=""
DENY_IP_OUTPUT=""

#################################################################################################################
# Put in the following variables which TCP/UDP ports or IP protocols you want to log connection attempts to     #
# from certain hosts.                                                                                           #
# TCP/UDP port format (LOG_HOST_xxx)                  : host1,host2>port1,port2 host3,host4>port3,port4 ...     #
# IP protocol format (LOG_HOST_IP)                    : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... #
#################################################################################################################
LOG_HOST_TCP=""
LOG_HOST_UDP=""
LOG_HOST_IP=""

#################################################################################################################
# Put in the following variables which TCP/UDP ports or IP protocols you want to log outgoing connections       #
# (attempts) of (packet watch).                                                                                 #
#################################################################################################################
LOG_TCP_OUTPUT=""
LOG_UDP_OUTPUT=""
LOG_IP_OUTPUT=""

#################################################################################################################
# Put in the following variables which TCP/UDP ports or IP protocols you want to log incoming connections       #
# (attempts) of (packet watch).                                                                                 #
#################################################################################################################
LOG_TCP_INPUT=""
LOG_UDP_INPUT=""
LOG_IP_INPUT=""

#################################################################################################################
# NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to an internal client through (D)NAT     #
# TCP/UDP form : "{SRCIP1,SRCIP2,...:}PORT1,PORT2-PORT3,...>DESTIP1{:port} {SRCIP3,...:}PORT3,...>DESTIP2:port}"#
# IP form      : "{SRCIP1,SRCIP2,...:}PROTO1,PROTO2,...>DESTIP1 {SRCIP3:}PROTO3,PROTO4,...>DESTIP2"             #
# NOTE 1: {:port} is optional. Use it to redirect a specific port to a different port on the internal client    #
# NOTE 2: {SRCIPx} is optional. Use it to restrict access to specific source IP addresses                       #
# NOTE 3: Port ranges MUST be written as "PORT1-PORT3" (ie. "1024-1030" would include ports 1024 until 1030)    #
#################################################################################################################
# NAT TCP port-forward(s).
#NAT_TCP_FORWARD="25>10.10.10.2 20,21,80,443,10000>10.10.10.6"
NAT_TCP_FORWARD="20,21,25,80,110,443,445,10000>10.10.10.6"
NAT_UDP_FORWARD="5198-5199>10.10.11.1-10.10.11.46 5198-5199>10.10.12.1-10.10.12.46"    
                                  # TCP/UDP port forward examples:
                                  # Simple      : NAT_xxx_FORWARD="80>192.168.0.10"
                                  # Advanced    : NAT_xxx_FORWARD="20,21>192.168.0.10 1.2.3.4:81>192.168.0.11:80"
NAT_IP_FORWARD=""                 # NAT IP protocol forward(s) (useful for forwarding non-TCP/UDP/ICMP protocols).
                                  # NAT IP protocol forward example: "47,48>192.168.0.10"

#################################################################################################################
# (EXPERT SETTING!) Put in the following variables the TCP/UDP ports or IP protocols TO (remote end-point)      #
# which the MASQUERADED hosts(LAN) are permitted to connect to via the external (internet) interface. When      #
# these variables are empty (""), these hosts are permitted to connect ANY port/protocol.                       #
#################################################################################################################
LAN_ALLOW_TCP=""
LAN_ALLOW_UDP=""
LAN_ALLOW_IP=""

#################################################################################################################
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote end-point) which the MASQUERADED  #
# hosts(LAN) are NOT permitted to connect to via the external (internet) interface. Examples of usage are for   #
# blocking IRC (TCP 6666:6669) for the internal network                                                         #
#################################################################################################################
LAN_DENY_TCP="25"
LAN_DENY_UDP=""
LAN_DENY_IP="25"

#################################################################################################################
# Put in the following variable which hosts you want to block (blackhole, dropping every packet from the host)  #
#################################################################################################################
BLOCK_HOSTS=""

# Location of the BLOCKED HOSTS file (if any). Note that the last line of this file should always contain a
# carriage-return (enter)!
###########################################################################################################
BLOCK_HOSTS_FILE=/etc/iptables-blocked-hosts

# Location of the custom IPTABLES rules file (if any):
######################################################
CUSTOM_RULES=/etc/iptables-custom-rules
0
 
LVL 2

Expert Comment

by:jnielsendotnet
ID: 13568759
If you only have one IP address on the outside then you can only forward a given port to one IP address on the inside at any given time.

JN
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 13569608
>  but when I try to forward them to all the address,
that's what masquerading is for, but it works for related packets only
otherwise you've to bracke down you destination to a subnet, for example 10.10.12.0/192 and simply ACCEPT these packets
0

Featured Post

WordPress Tutorial 3: Plugins, Themes, and Widgets

The three most common changes you will make to your website involve the look (themes), the functionality (plugins), and modular elements (widgets).

In this article we will briefly define each again, and give you directions on how to install them.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question