Kevin Turnbull
asked on
IPtables firewall | RDP access
Hi All
I've got a question for all you iptables experts out there.
I currently have a ubuntu 10.04 iptables firewall with nat enabled. The server has approximately 8 internet ipadress that I would like map RDP sessions to on my internal network.
internet-IP-1 --> RDP --> internal-server-1
internet-IP-2 --> RDP --> internal-server-2
internet-IP-3 --> RDP --> internal-server-3
internet-IP-4 --> RDP --> internal-server-4
internet-IP-5 --> RDP --> internal-server-5
would someone be able to give me the syntax that I would need to use please
Many thanks in advance
I've got a question for all you iptables experts out there.
I currently have a ubuntu 10.04 iptables firewall with nat enabled. The server has approximately 8 internet ipadress that I would like map RDP sessions to on my internal network.
internet-IP-1 --> RDP --> internal-server-1
internet-IP-2 --> RDP --> internal-server-2
internet-IP-3 --> RDP --> internal-server-3
internet-IP-4 --> RDP --> internal-server-4
internet-IP-5 --> RDP --> internal-server-5
would someone be able to give me the syntax that I would need to use please
Many thanks in advance
ASKER
Cool I'll give that a try and get back to you. Thanks for the quick reply
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Blaz, that still doesn't work. I've removed all additional IP's from this server so that is now only has one just to simplify thing but still no joy.
Any suggestions?
Any suggestions?
Maybe you could share with us what doesn't work. Did the console command return an error? What tests did you perform etc.
You could start with giving us your configuration - please post the outputs of commands:
iptables -L -nvx
iptables -t nat -L -nvx
ifconfig
You could start with giving us your configuration - please post the outputs of commands:
iptables -L -nvx
iptables -t nat -L -nvx
ifconfig
ASKER
Sorry the RDP connection does not connect all commands seem fine. I tried to connect to 109.231.73.70 via a RDP client on a xp pc.
root@ubuntu:~# iptables -L -nvx
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 * 172.29.0.0/24 0.0.0.0/0
0 0 REJECT all -- eth0 * 172.29.0.0/24 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT icmp -- eth0 * 0.0.0.0/0 109.231.73.64/29
203 19506 ACCEPT all -- eth0 * 0.0.0.0/0 109.231.73.64/29 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 109.231.73.64/29 ctstate NEW,RELATED,ESTABLISHED tcp dpt:80
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 109.231.73.64/29 ctstate NEW,RELATED,ESTABLISHED tcp dpt:443
2 96 ACCEPT tcp -- eth0 * 195.234.243.130 109.231.73.64/29 ctstate NEW,RELATED,ESTABLISHED tcp dpt:22
67 10789 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 172.29.4.100 tcp dpt:3389
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * eth1 109.231.73.64/29 172.29.0.0/24
0 0 ACCEPT all -- * eth1 172.29.4.2 172.29.0.0/24
0 0 REJECT all -- * eth0 0.0.0.0/0 172.29.0.0/24 reject-with icmp-port-unreachable
205 29952 ACCEPT all -- * eth0 109.231.73.64/29 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
root@ubuntu:~# iptables -t nat -L -nvx
Chain PREROUTING (policy ACCEPT 69 packets, 10885 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 109.231.73.70 tcp dpt:3389 to:172.29.4.100:3389
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
14 997 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 14 packets, 997 bytes)
pkts bytes target prot opt in out source destination
root@ubuntu:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3e:36:a6:d6
inet addr:109.231.73.70 Bcast:109.231.73.71 Mask:255.255.255.248
inet6 addr: fe80::216:3eff:fe36:a6d6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9320 errors:0 dropped:0 overruns:0 frame:0
TX packets:9088 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:785190 (785.1 KB) TX bytes:4222437 (4.2 MB)
Interrupt:32 Base address:0x8000
eth1 Link encap:Ethernet HWaddr 00:16:3e:57:60:8a
inet addr:172.29.4.2 Bcast:172.29.4.255 Mask:255.255.255.0
inet6 addr: fe80::216:3eff:fe57:608a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:314 errors:0 dropped:0 overruns:0 frame:0
TX packets:111 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:34249 (34.2 KB) TX bytes:7386 (7.3 KB)
Interrupt:36 Base address:0xc100
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:51333 errors:0 dropped:0 overruns:0 frame:0
TX packets:51333 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5749272 (5.7 MB) TX bytes:5749272 (5.7 MB)
It seems that your previous "primary" external IP was x.x.x.64. You have several rules writen to that IP so it might be a good idea to leave that IP in... But this has nothing to do with your problem.
To me it seems that the proper DNAT rule is in place:
0 0 DNAT tcp -- * * 0.0.0.0/0 109.231.73.70 tcp dpt:3389 to:172.29.4.100:3389
What is strange is that the packet count is 0 for this rule - that means that no packet matching the rule did not come to the machine.
Oh - this just came to me - where did you test the RDP connection from? From a machine inside the network (172.29.4.x)? You should be somewhere on the internet to test this. Maybe (for testing purposes) you could also change the rule to:
iptables -t nat -I PREROUTING -m tcp -p tcp --dport <desired_internet_port> -j DNAT --to-destination <internal_IP_1>:3386
This means the redirection will cover any IP - even internal one (172.29.4.2)
To me it seems that the proper DNAT rule is in place:
0 0 DNAT tcp -- * * 0.0.0.0/0 109.231.73.70 tcp dpt:3389 to:172.29.4.100:3389
What is strange is that the packet count is 0 for this rule - that means that no packet matching the rule did not come to the machine.
Oh - this just came to me - where did you test the RDP connection from? From a machine inside the network (172.29.4.x)? You should be somewhere on the internet to test this. Maybe (for testing purposes) you could also change the rule to:
iptables -t nat -I PREROUTING -m tcp -p tcp --dport <desired_internet_port> -j DNAT --to-destination <internal_IP_1>:3386
This means the redirection will cover any IP - even internal one (172.29.4.2)
ASKER
I was testing from an external pc out on the internet. Is there any way I can turn up the logging for this so it can give me some more details as to why it is being blocked?
Logging is usually done with iptables rules themselves:
iptables -t nat -I PREROUTING -m tcp -p tcp --dport 3389 -j LOG --log-prefix "PreroutingLog"
Then in /var/log/messages you receive an input for every packet. A good log is also the packet/byte counters outputed by command "iptables -t nat -nvx". If you can't get the packet at the PREROUTING chain there is a good chance that the packet never got to the machine.
Is there any firewall in the path? Does your internet provider allow connections on port 3389? What if you try to change to another port, like 43389? Does a connection to your web server work from outside?
iptables -t nat -I PREROUTING -m tcp -p tcp --dport 3389 -j LOG --log-prefix "PreroutingLog"
Then in /var/log/messages you receive an input for every packet. A good log is also the packet/byte counters outputed by command "iptables -t nat -nvx". If you can't get the packet at the PREROUTING chain there is a good chance that the packet never got to the machine.
Is there any firewall in the path? Does your internet provider allow connections on port 3389? What if you try to change to another port, like 43389? Does a connection to your web server work from outside?
ASKER
I've tried using a different port with no luck and I tried to nat web traffic through to another server with no luck. I, now seeing some traffic hitting the rules using the command you sent me but I'm still being blocked somewhere along the line.
root@ubuntu:~# iptables -t nat -L -nvx
Chain PREROUTING (policy ACCEPT 2 packets, 289 bytes)
pkts bytes target prot opt in out source destination
1 48 DNAT tcp -- * * 0.0.0.0/0 109.231.73.64/29 tcp dpt:3389 ctstate NEW,RELATED,ESTABLISHED to:172.29.4.100:3389
3 144 DNAT tcp -- * * 0.0.0.0/0 109.231.73.64/29 tcp dpt:80 ctstate NEW,RELATED,ESTABLISHED to:172.29.4.86:80
Chain POSTROUTING (policy ACCEPT 1 packets, 48 bytes)
pkts bytes target prot opt in out source destination
30 2120 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 29 packets, 2060 bytes)
pkts bytes target prot opt in out source destination
Great. If you see packet count increasing on the NAT rules then some traffic is comming to your machine. You can also insert a LOG rule that will log the packet to /var/log/messages (so you can inspect also source IP etc.).
Now the next question is what is happening in the FORWARD chain - is any traffic hitting the rule in FORWARD chain?
iptables -L FORWARD -nvx
If not then you must search for reasons for that - wrong interfaces specified etc.
If the FORWARD rule has nonzero packet count then the problem might be the reverse traffic - from your (internal) server to the client (on the internet).
Is this machine 172.29.4.2 your only firewall (and default gateway on all internal machines)? Does web access work from internal network through this machine? What is the output of command:
cat /proc/sys/net/ipv4/ip_forw ard
Now the next question is what is happening in the FORWARD chain - is any traffic hitting the rule in FORWARD chain?
iptables -L FORWARD -nvx
If not then you must search for reasons for that - wrong interfaces specified etc.
If the FORWARD rule has nonzero packet count then the problem might be the reverse traffic - from your (internal) server to the client (on the internet).
Is this machine 172.29.4.2 your only firewall (and default gateway on all internal machines)? Does web access work from internal network through this machine? What is the output of command:
cat /proc/sys/net/ipv4/ip_forw
ASKER
Ok the FORWARD rule seems to be working fine. Yes all my internal servers are using this box as its gateway. I can ping an extrenal DNS server and I can surf the web with no problems. I've also RDP out from the server to another server on the web with no problems.
root@ubuntu:~# cat /proc/sys/net/ipv4/ip_forw ard
1
root@ubuntu:~# cat /proc/sys/net/ipv4/ip_forw
1
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
5 240 ACCEPT tcp -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 ctstate NEW,RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- eth1 eth1 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- eth1 eth0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
ASKER
ok I got the websote to work (a typo on my side) but the RDP still no joys :(
ASKER
Ok this is very strange I've added my 2nd ip to my server and guess what I edited my rules to reflect my second IP and RDP start to work.
Blaz many many thanks for your help and patents with this
ASKER
Ok this is very strange I've added my 2nd ip to my server and guess what I edited my rules to reflect my second IP and RDP start to work.
Blaz many many thanks for your help and patents with this
Blaz many many thanks for your help and patents with this
Great that you got it working.
iptables -I FORWARD -d <internal_IP_1> -m tcp -p tcp --dport 3386 -j ACCEPT
You could also limit the allowed remote IP addresses in these rules