Solved

IPtables firewall | RDP access

Posted on 2010-09-14
16
917 Views
Last Modified: 2013-11-16
Hi All

I've got a question for all you iptables experts out there.
I currently have a ubuntu 10.04 iptables firewall with nat enabled. The server has approximately 8 internet ipadress that I would like map RDP sessions to on my internal network.
internet-IP-1 --> RDP --> internal-server-1
internet-IP-2 --> RDP --> internal-server-2
internet-IP-3 --> RDP --> internal-server-3
internet-IP-4 --> RDP --> internal-server-4
internet-IP-5 --> RDP --> internal-server-5

would someone be able to give me the syntax that I would need to use please

Many thanks in advance
0
Comment
Question by:TazzEE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
16 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 33669794
iptables -I PREROUTING -d <internet_IP_1> -m tcp -p tcp --dport <desired_internet_port> -j DNAT --to-destination <internal_IP_1>:3386
iptables -I FORWARD -d <internal_IP_1> -m tcp -p tcp --dport 3386 -j ACCEPT

You could also limit the allowed remote IP addresses in these rules
0
 

Author Comment

by:TazzEE
ID: 33669837
Cool I'll give that a try and get back to you. Thanks for the quick reply
0
 
LVL 16

Accepted Solution

by:
Blaz earned 300 total points
ID: 33669860
Just noticed that the first statement is missing "-t nat", so:
iptables -t nat -I PREROUTING -d <internet_IP_1> -m tcp -p tcp --dport <desired_internet_port> -j DNAT --to-destination <internal_IP_1>:3386
0
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

 

Author Comment

by:TazzEE
ID: 33670409
Hi Blaz, that still doesn't work. I've removed all additional IP's from this server so that is now only has one just to simplify thing but still no joy.
Any suggestions?  
0
 
LVL 16

Expert Comment

by:Blaz
ID: 33670638
Maybe you could share with us what doesn't work. Did the console command return an error? What tests did you perform etc.

You could start with giving us your configuration - please post the outputs of commands:
iptables -L -nvx
iptables -t nat -L -nvx
ifconfig
0
 

Author Comment

by:TazzEE
ID: 33670947
Sorry the RDP connection does not connect all commands seem fine. I tried to connect to 109.231.73.70 via a RDP client on a xp pc.  
 

root@ubuntu:~# iptables -L -nvx
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  eth1   *       172.29.0.0/24        0.0.0.0/0
       0        0 REJECT     all  --  eth0   *       172.29.0.0/24        0.0.0.0/0           reject-with icmp-port-unreachable
       0        0 ACCEPT     icmp --  eth0   *       0.0.0.0/0            109.231.73.64/29
     203    19506 ACCEPT     all  --  eth0   *       0.0.0.0/0            109.231.73.64/29    ctstate RELATED,ESTABLISHED
       0        0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            109.231.73.64/29    ctstate NEW,RELATED,ESTABLISHED tcp dpt:80
       0        0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            109.231.73.64/29    ctstate NEW,RELATED,ESTABLISHED tcp dpt:443
       2       96 ACCEPT     tcp  --  eth0   *       195.234.243.130      109.231.73.64/29    ctstate NEW,RELATED,ESTABLISHED tcp dpt:22
      67    10789 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            172.29.4.100        tcp dpt:3389
       0        0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED
       0        0 ACCEPT     all  --  eth1   eth1    0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0
       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID
       0        0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  *      eth1    109.231.73.64/29     172.29.0.0/24
       0        0 ACCEPT     all  --  *      eth1    172.29.4.2           172.29.0.0/24
       0        0 REJECT     all  --  *      eth0    0.0.0.0/0            172.29.0.0/24       reject-with icmp-port-unreachable
     205    29952 ACCEPT     all  --  *      eth0    109.231.73.64/29     0.0.0.0/0
       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
root@ubuntu:~# iptables -t nat -L -nvx
Chain PREROUTING (policy ACCEPT 69 packets, 10885 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DNAT       tcp  --  *      *       0.0.0.0/0            109.231.73.70       tcp dpt:3389 to:172.29.4.100:3389

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
      14      997 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 14 packets, 997 bytes)
    pkts      bytes target     prot opt in     out     source               destination
root@ubuntu:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3e:36:a6:d6
          inet addr:109.231.73.70  Bcast:109.231.73.71  Mask:255.255.255.248
          inet6 addr: fe80::216:3eff:fe36:a6d6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9320 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9088 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:785190 (785.1 KB)  TX bytes:4222437 (4.2 MB)
          Interrupt:32 Base address:0x8000

eth1      Link encap:Ethernet  HWaddr 00:16:3e:57:60:8a
          inet addr:172.29.4.2  Bcast:172.29.4.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe57:608a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:314 errors:0 dropped:0 overruns:0 frame:0
          TX packets:111 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:34249 (34.2 KB)  TX bytes:7386 (7.3 KB)
          Interrupt:36 Base address:0xc100

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:51333 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51333 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:5749272 (5.7 MB)  TX bytes:5749272 (5.7 MB)

Open in new window

0
 
LVL 16

Expert Comment

by:Blaz
ID: 33671134
It seems that your previous "primary" external IP was x.x.x.64. You have several rules writen to that IP so it might be a good idea to leave that IP in... But this has nothing to do with your problem.

To me it seems that the proper DNAT rule is in place:
      0        0 DNAT       tcp  --  *      *       0.0.0.0/0            109.231.73.70       tcp dpt:3389 to:172.29.4.100:3389

What is strange is that the packet count is 0 for this rule - that means that no packet matching the rule did not come to the machine.

Oh - this just came to me - where did you test the RDP connection from? From a machine inside the network (172.29.4.x)? You should be somewhere on the internet to test this. Maybe (for testing purposes) you could also change the rule to:

iptables -t nat -I PREROUTING -m tcp -p tcp --dport <desired_internet_port> -j DNAT --to-destination <internal_IP_1>:3386

This means the redirection will cover any IP - even internal one (172.29.4.2)
0
 

Author Comment

by:TazzEE
ID: 33671466
I was testing from an external pc out on the internet. Is there any way I can turn up the logging for this so it can give me some more details as to why it is being blocked?
0
 
LVL 16

Expert Comment

by:Blaz
ID: 33671586
Logging is usually done with iptables rules themselves:
iptables -t nat -I PREROUTING -m tcp -p tcp --dport 3389 -j LOG --log-prefix "PreroutingLog"

Then in /var/log/messages you receive an input for every packet. A good log is also the packet/byte counters outputed by command "iptables -t nat -nvx". If you can't get the packet at the PREROUTING chain there is a good chance that the packet never got to the machine.

Is there any firewall in the path? Does your internet provider allow connections on port 3389? What if you try to change to another port, like 43389? Does a connection to your web server work from outside?
0
 

Author Comment

by:TazzEE
ID: 33672652
I've tried using a different port with no luck and I tried to nat web traffic through to another server with no luck. I, now seeing some traffic hitting the rules using the command you sent me but I'm still being blocked somewhere along the line.
root@ubuntu:~# iptables -t nat -L -nvx
Chain PREROUTING (policy ACCEPT 2 packets, 289 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       1       48 DNAT       tcp  --  *      *       0.0.0.0/0            109.231.73.64/29    tcp dpt:3389 ctstate NEW,RELATED,ESTABLISHED to:172.29.4.100:3389
       3      144 DNAT       tcp  --  *      *       0.0.0.0/0            109.231.73.64/29    tcp dpt:80 ctstate NEW,RELATED,ESTABLISHED to:172.29.4.86:80

Chain POSTROUTING (policy ACCEPT 1 packets, 48 bytes)
    pkts      bytes target     prot opt in     out     source               destination
      30     2120 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 29 packets, 2060 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Open in new window

0
 
LVL 16

Expert Comment

by:Blaz
ID: 33672730
Great. If you see packet count increasing on the NAT rules then some traffic is comming to your machine. You can also insert a LOG rule that will log the packet to /var/log/messages (so you can inspect also source IP etc.).

Now the next question is what is happening in the FORWARD chain - is any traffic hitting the rule in FORWARD chain?
iptables -L FORWARD -nvx

If not then you must search for reasons for that - wrong interfaces specified etc.

If the FORWARD rule has nonzero packet count then the problem might be the reverse traffic - from your (internal) server to the client (on the internet).

Is this machine 172.29.4.2 your only firewall (and default gateway on all internal machines)? Does web access work from internal network through this machine? What is the output of command:
cat /proc/sys/net/ipv4/ip_forward
0
 

Author Comment

by:TazzEE
ID: 33673031
Ok the FORWARD rule seems to be working fine. Yes all my internal servers are using this box as its gateway. I can ping an extrenal DNS server and I can surf the web with no problems. I've also RDP out from the server to another server on the web with no problems.
root@ubuntu:~# cat /proc/sys/net/ipv4/ip_forward
1


Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       5      240 ACCEPT     tcp  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           tcp dpt:3389 ctstate NEW,RELATED,ESTABLISHED
       0        0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED
       0        0 ACCEPT     all  --  eth1   eth1    0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0
       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Open in new window

0
 

Author Comment

by:TazzEE
ID: 33673310
ok I got the websote to work (a typo on my side) but the RDP still no joys :(
0
 

Author Comment

by:TazzEE
ID: 33674008

Ok this is very strange I've added my 2nd ip to my server and guess what I edited my rules to reflect my second IP and RDP start to work.
Blaz many many thanks for your help and patents with this  
0
 

Author Comment

by:TazzEE
ID: 33674011
Ok this is very strange I've added my 2nd ip to my server and guess what I edited my rules to reflect my second IP and RDP start to work.

Blaz many many thanks for your help and patents with this
0
 
LVL 16

Expert Comment

by:Blaz
ID: 33679581
Great that you got it working.
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

1. Introduction As many people are interested in Linux but not as many are interested or knowledgeable (enough) to install Linux on their system, here is a safe way to try out Linux on your existing (Windows) system. The idea is that you insta…
The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question