• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 860
  • Last Modified:

Port Forwarding on IPTABLES

Hi,
   I have a linux router setup and I want to forward all requests on 3389 (terminal server) to an internal IP address.  

This is what i have so far, but it doesn't work, I get the "Client cound not connect to the remote computer" when I try.  
******************************************************************************

$IPTABLES -A INPUT -i $EXTIF -p tcp --sport 3389 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p tcp --sport 3389 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $EXTIF --dport 3389 -j DNAT --to 192.168.0.194:3389
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.194 --dport 3389 -j ACCEPT


******************************************************************************
$EXTIF = External Interface
$INTIF = Internal Interface (192.168.0.1)
Target computer for Terminal Server = 192.168.0.194

Can someone please tell me what I need to do to get this working?  
0
gcmachel
Asked:
gcmachel
  • 5
  • 4
  • 4
  • +2
2 Solutions
 
marxyCommented:
Iptables use rules sequentally.

You use -A to append the rules.
If there is a last rule (usually) that denies all then your append won't work.

Use this to inspect
iptables -L -n

Maybe use -I to insert the rules instead of -A to append
0
 
ahoffmannCommented:
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 3389 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 3389 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF  --dport 3389 -j DNAT --to 192.168.0.194:3389
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.194 --dport 3389 -j ACCEPT
0
 
gcmachelAuthor Commented:
I tried and this is still giving the error:  "Client cound not connect to the remote computer"

Now this is a multi-homed server, do I need to account for the internal IP address of the linux router?  

I have this setup so that $EXTIF is the external DHCP address that I get from my ISP.  $INTIF is the IP address on my local network (192.168.0.1).  And 192.168.0.194 is a laptop on my internal network that I want to connect to from the Internet.  

Not sure what I need here, can you help?  
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
ahoffmannCommented:
check with
   tcpdump -l -n -i $EXTIF

which packets pass and which get blocked
0
 
XoFCommented:
You don't need the rules in the INPUT- and OUTPUT-chains, as packets in this case only traverse the FORWARD chain. But what you need is to allow the way back explicitly, so try this one:

$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF  --dport 3389 -j DNAT --to 192.168.0.194:3389
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.194 --dport 3389 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INTIF -s 192.168.0.194 -m state --state ESTABLISHED,RELATED -j ACCEPT

HTH,

-XoF-
0
 
gcmachelAuthor Commented:
This still isn't working ... grrr  :)

I tried this with and without the INPUT and OUTPUT chains.  Do I need to foward from $EXTIF to $INTIF and then to 192.168.0.194?  


$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 3389 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 3389 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF  --dport 3389 -j DNAT --to 192.168.0.194:3389
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.194 --dport 3389 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INTIF -s 192.168.0.194 -m state --state ESTABLISHED,RELATED -j ACCEPT
0
 
ahoffmannCommented:
> $IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.194 --dport 3389 -j ACCEPT
this rule never matches (hopefully)

please go with tcpdump and check on both interfaces which packets are passed through
0
 
XoFCommented:
argghh,

just forgot the NAT-rule for the way back:

$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF  --dport 3389 -j DNAT --to 192.168.0.194:3389
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.194 --dport 3389 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $INTIF -s 192.168.0.194 -m state --state ESTABLISHED,RELATED -j ACCEPT


$IPTABLES -t nat -A POSTROUTING -p tcp -i $INTIF -s 192.168.0.194 --sport 3389 -j SNAT --to-source <external-IP>:3389
or
$IPTABLES -t nat -A POSTROUTING -i $INTIF -o $EXTIF -j MASQUERADE


Attention:
The whole discussion here assumes, that there are _no_ other filter rules in place!
If there exist other rules, the outputs of "iptables -nv -L" and "iptables -t nat -nv -L" would be very helpful!

HTH,

-XoF-
0
 
XoFCommented:
OT

ahoffmann,
think we should keep on old times and do some knowledge-sharing on the phone....;)
I just love these discussions...;)

>  > $IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.194 --dport 3389 -j ACCEPT
> this rule never matches (hopefully)

meep!

this rule _is_ matching!

the packet comes in on $EXTIF, runs through the PREROUTING chain, which will modify the IP-Headers. After that, the routing descision takes place. As the destination adress is now 192.168.0.194:3389, the packet has to be routed and therefore traverses the FORWARD-chain, which has to allow the packet with destination-adress 192.168.0.194:3389.....

Any other opinions yet?

-XoF-
0
 
gcmachelAuthor Commented:
OK, here are results from the two commands you asked me to run.  XX.XX.XX.XX is my external IP address.

[root@tankjr ~]# iptables -nv -L
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
   51  9113 ACCEPT     all  --  eth1   *       192.168.0.0/24       0.0.0.0/0
    0     0 drop-and-log-it  all  --  eth0   *       192.168.0.0/24       0.0.0.0/0
   59  3090 ACCEPT     all  --  eth0   *       0.0.0.0/0            XX.XX.XX.XX         state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp spt:68 dpt:67
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp spt:68 dpt:67
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    4   192 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            XX.XX.XX.XX         state NEW,RELATED,ESTABLISHED tcp dpt:80
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3784
   41  9303 drop-and-log-it  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           udp spts:5000:5004
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp spts:30000:30010

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            192.168.0.194       tcp dpt:3389
    0     0 ACCEPT     tcp  --  eth1   *       192.168.0.194        0.0.0.0/0           state RELATED,ESTABLISHED
 4948 2680K ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 3925  756K ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0
    0     0 drop-and-log-it  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 3 packets, 560 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      eth1    XX.XX.XX.XX          192.168.0.0/24
   19  2256 ACCEPT     all  --  *      eth1    192.168.0.0/24       192.168.0.0/24
    0     0 drop-and-log-it  all  --  *      eth0    0.0.0.0/0            192.168.0.0/24
  110  116K ACCEPT     all  --  *      eth0    XX.XX.XX.XX          0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      eth1    192.168.0.0/24       255.255.255.255     tcp spt:67 dpt:68
    0     0 ACCEPT     udp  --  *      eth1    192.168.0.0/24       255.255.255.255     udp spt:67 dpt:68
    0     0 drop-and-log-it  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     udp  --  *      eth1    0.0.0.0/0            0.0.0.0/0           udp spts:5000:5004
    0     0 ACCEPT     tcp  --  *      eth1    0.0.0.0/0            0.0.0.0/0           tcp spts:30000:30010
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:3389

Chain drop-and-log-it (5 references)
 pkts bytes target     prot opt in     out     source               destination
   41  9303 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6
   41  9303 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable




[root@tankjr ~]# iptables -t nat -nv -L
Chain PREROUTING (policy ACCEPT 24196 packets, 16M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            XX.XX.XX.XX         tcp dpt:1720 to:192.168.0.191:1720
    1    48 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3389 to:192.168.0.194:3389

Chain POSTROUTING (policy ACCEPT 13 packets, 662 bytes)
 pkts bytes target     prot opt in     out     source               destination
   73  5028 SNAT       all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           to:24.23.4.208

Chain OUTPUT (policy ACCEPT 118 packets, 9474 bytes)
 pkts bytes target     prot opt in     out     source               destination
0
 
macker-Commented:
You may want to try asking this question in a networking-specific category, vs. security.  While your goal is security, this is solidly in the realm of networking, as the motivation is not an issue here and you're more likely to reach people who know iptables.

I would also recommend using the option --line-numbers to keep things straight-forward, as you obviously need to be using INSERT rather than APPEND mode in several places.  It appears to me that you're trying to use this in conjuction with an existing firewall script; you may want to modify that script, rather than append additional commands.

E.g. in your INPUT chain, the final matching target chain (drop-and-log-it-all) appears prior to the rules for UDP 5000:5004 and TCP 30000:30010.  Since the previous rule matches anything that has not yet been matched, these subsequent rules will never be applied.

The rules appear to be mostly accurate.. do you have all the appropriate modules loaded (e.g. iptable_mangle)?  Do you know if port forwarding has worked in the past?  Are you able to 'telnet 192.168.0.194 3389' from the firewall?  Have you tried the same from a remote host, and if so, did the connection time out or was it refused?
0
 
gcmachelAuthor Commented:
Thanks for all your help everyone, but I'm still not getting this.   I worked on it all night.  Here are my updates:  
****************************************************************************
Rules:

$IPTABLES -A OUTPUT -p tcp --sport 3389 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 3389 -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -p tcp -s 192.168.0.194 --sport 3389 -j SNAT --to-source $EXTIP:3389
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 192.168.0.194 --dport 3389 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 3389 -j DNAT --to 192.168.0.194:3389
****************************************************************************
[root@tankjr]# iptables -t nat -nv -L

Chain PREROUTING (policy ACCEPT 11575 packets, 9600K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3389 to:192.168.0.194:3389

Chain POSTROUTING (policy ACCEPT 35 packets, 2091 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       tcp  --  *      *       192.168.0.194        0.0.0.0/0           tcp spt:3389 to:24.23.4.208:3389
    5   352 SNAT       all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           to:24.23.4.208

Chain OUTPUT (policy ACCEPT 60 packets, 4287 bytes)
 pkts bytes target     prot opt in     out     source               destination

****************************************************************************
[root@tankjr]# iptables -nv -L

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  214 16757 ACCEPT     all  --  eth1   *       192.168.0.0/24       0.0.0.0/0
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            24.23.4.208         state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp spt:68 dpt:67
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp spt:68 dpt:67
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            24.23.4.208         state NEW,RELATED,ESTABLISHED tcp dpt:80
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:3389
    9  2680 drop-and-log-it  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            192.168.0.194       tcp dpt:3389
   95 96905 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   82  6813 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0
    0     0 drop-and-log-it  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy DROP 6 packets, 1548 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      eth1    24.23.4.208          192.168.0.0/24
  193 33256 ACCEPT     all  --  *      eth1    192.168.0.0/24       192.168.0.0/24
    0     0 ACCEPT     all  --  *      eth0    24.23.4.208          0.0.0.0/0
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp spt:3389
    0     0 ACCEPT     tcp  --  *      eth1    192.168.0.0/24       255.255.255.255     tcp spt:67 dpt:68
    0     0 ACCEPT     udp  --  *      eth1    192.168.0.0/24       255.255.255.255     udp spt:67 dpt:68
    0     0 drop-and-log-it  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain drop-and-log-it (3 references)
 pkts bytes target     prot opt in     out     source               destination
    9  2680 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6
    9  2680 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable


I am about to give up on this ditch my linux router and submit to Cisco, very frustrated.  I do appreaciate everyone trying to help though ... Thanks!  
0
 
ahoffmannCommented:
> 0    0 SNAT     tcp  --  *      *       192.168.0.194     0.0.0.0/0        tcp spt:3389 to:24.23.4.208:3389
> 5  352 SNAT     all  --  *      eth0    0.0.0.0/0         0.0.0.0/0        to:24.23.4.208

is there a reason why you SNAT 24.23.4.208?
0
 
XoFCommented:
well, I assume, the OP needs to masq his LAN's RFC-addresses...;)
When using static IPs on the external interface, the use of SNAT instead of MASQUERADE is highly recommended, as SNAT keeps its connection tracking table even across an interface restart. See "man iptables".

Cheers,

-XoF-
0
 
gcmachelAuthor Commented:
I've had enough of this and I'm throwing in the towel.  I need to hit the books and learn IPTables better before I loose anymore sleep over this.  Thanks for all your help.  
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 5
  • 4
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now