asked on

IPtables firewall | RDP access

Hi All

I've got a question for all you iptables experts out there.
I currently have a ubuntu 10.04 iptables firewall with nat enabled. The server has approximately 8 internet ipadress that I would like map RDP sessions to on my internal network.
internet-IP-1 --> RDP --> internal-server-1
internet-IP-2 --> RDP --> internal-server-2
internet-IP-3 --> RDP --> internal-server-3
internet-IP-4 --> RDP --> internal-server-4
internet-IP-5 --> RDP --> internal-server-5

would someone be able to give me the syntax that I would need to use please

Many thanks in advance

Blaz

iptables -I PREROUTING -d <internet_IP_1> -m tcp -p tcp --dport <desired_internet_port> -j DNAT --to-destination <internal_IP_1>:3386
iptables -I FORWARD -d <internal_IP_1> -m tcp -p tcp --dport 3386 -j ACCEPT

You could also limit the allowed remote IP addresses in these rules

Kevin Turnbull

ASKER

Cool I'll give that a try and get back to you. Thanks for the quick reply

ASKER CERTIFIED SOLUTION

Blaz

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Kevin Turnbull

ASKER

Hi Blaz, that still doesn't work. I've removed all additional IP's from this server so that is now only has one just to simplify thing but still no joy.
Any suggestions?

Blaz

Maybe you could share with us what doesn't work. Did the console command return an error? What tests did you perform etc.

You could start with giving us your configuration - please post the outputs of commands:
iptables -L -nvx
iptables -t nat -L -nvx
ifconfig

Kevin Turnbull

ASKER

Sorry the RDP connection does not connect all commands seem fine. I tried to connect to 109.231.73.70 via a RDP client on a xp pc.

root@ubuntu:~# iptables -L -nvx
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  eth1   *       172.29.0.0/24        0.0.0.0/0
       0        0 REJECT     all  --  eth0   *       172.29.0.0/24        0.0.0.0/0           reject-with icmp-port-unreachable
       0        0 ACCEPT     icmp --  eth0   *       0.0.0.0/0            109.231.73.64/29
     203    19506 ACCEPT     all  --  eth0   *       0.0.0.0/0            109.231.73.64/29    ctstate RELATED,ESTABLISHED
       0        0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            109.231.73.64/29    ctstate NEW,RELATED,ESTABLISHED tcp dpt:80
       0        0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            109.231.73.64/29    ctstate NEW,RELATED,ESTABLISHED tcp dpt:443
       2       96 ACCEPT     tcp  --  eth0   *       195.234.243.130      109.231.73.64/29    ctstate NEW,RELATED,ESTABLISHED tcp dpt:22
      67    10789 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            172.29.4.100        tcp dpt:3389
       0        0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED
       0        0 ACCEPT     all  --  eth1   eth1    0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0
       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate INVALID
       0        0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  *      eth1    109.231.73.64/29     172.29.0.0/24
       0        0 ACCEPT     all  --  *      eth1    172.29.4.2           172.29.0.0/24
       0        0 REJECT     all  --  *      eth0    0.0.0.0/0            172.29.0.0/24       reject-with icmp-port-unreachable
     205    29952 ACCEPT     all  --  *      eth0    109.231.73.64/29     0.0.0.0/0
       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
root@ubuntu:~# iptables -t nat -L -nvx
Chain PREROUTING (policy ACCEPT 69 packets, 10885 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 DNAT       tcp  --  *      *       0.0.0.0/0            109.231.73.70       tcp dpt:3389 to:172.29.4.100:3389

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
      14      997 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 14 packets, 997 bytes)
    pkts      bytes target     prot opt in     out     source               destination
root@ubuntu:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:3e:36:a6:d6
          inet addr:109.231.73.70  Bcast:109.231.73.71  Mask:255.255.255.248
          inet6 addr: fe80::216:3eff:fe36:a6d6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:9320 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9088 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:785190 (785.1 KB)  TX bytes:4222437 (4.2 MB)
          Interrupt:32 Base address:0x8000

eth1      Link encap:Ethernet  HWaddr 00:16:3e:57:60:8a
          inet addr:172.29.4.2  Bcast:172.29.4.255  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe57:608a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:314 errors:0 dropped:0 overruns:0 frame:0
          TX packets:111 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:34249 (34.2 KB)  TX bytes:7386 (7.3 KB)
          Interrupt:36 Base address:0xc100

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:51333 errors:0 dropped:0 overruns:0 frame:0
          TX packets:51333 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:5749272 (5.7 MB)  TX bytes:5749272 (5.7 MB)

Open in new window

Blaz

It seems that your previous "primary" external IP was x.x.x.64. You have several rules writen to that IP so it might be a good idea to leave that IP in... But this has nothing to do with your problem.

To me it seems that the proper DNAT rule is in place:
0 0 DNAT tcp -- * * 0.0.0.0/0 109.231.73.70 tcp dpt:3389 to:172.29.4.100:3389

What is strange is that the packet count is 0 for this rule - that means that no packet matching the rule did not come to the machine.

Oh - this just came to me - where did you test the RDP connection from? From a machine inside the network (172.29.4.x)? You should be somewhere on the internet to test this. Maybe (for testing purposes) you could also change the rule to:

iptables -t nat -I PREROUTING -m tcp -p tcp --dport <desired_internet_port> -j DNAT --to-destination <internal_IP_1>:3386

This means the redirection will cover any IP - even internal one (172.29.4.2)

Kevin Turnbull

ASKER

I was testing from an external pc out on the internet. Is there any way I can turn up the logging for this so it can give me some more details as to why it is being blocked?

Blaz

Logging is usually done with iptables rules themselves:
iptables -t nat -I PREROUTING -m tcp -p tcp --dport 3389 -j LOG --log-prefix "PreroutingLog"

Then in /var/log/messages you receive an input for every packet. A good log is also the packet/byte counters outputed by command "iptables -t nat -nvx". If you can't get the packet at the PREROUTING chain there is a good chance that the packet never got to the machine.

Is there any firewall in the path? Does your internet provider allow connections on port 3389? What if you try to change to another port, like 43389? Does a connection to your web server work from outside?

Kevin Turnbull

ASKER

I've tried using a different port with no luck and I tried to nat web traffic through to another server with no luck. I, now seeing some traffic hitting the rules using the command you sent me but I'm still being blocked somewhere along the line.

root@ubuntu:~# iptables -t nat -L -nvx
Chain PREROUTING (policy ACCEPT 2 packets, 289 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       1       48 DNAT       tcp  --  *      *       0.0.0.0/0            109.231.73.64/29    tcp dpt:3389 ctstate NEW,RELATED,ESTABLISHED to:172.29.4.100:3389
       3      144 DNAT       tcp  --  *      *       0.0.0.0/0            109.231.73.64/29    tcp dpt:80 ctstate NEW,RELATED,ESTABLISHED to:172.29.4.86:80

Chain POSTROUTING (policy ACCEPT 1 packets, 48 bytes)
    pkts      bytes target     prot opt in     out     source               destination
      30     2120 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 29 packets, 2060 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Open in new window

Blaz

Great. If you see packet count increasing on the NAT rules then some traffic is comming to your machine. You can also insert a LOG rule that will log the packet to /var/log/messages (so you can inspect also source IP etc.).

Now the next question is what is happening in the FORWARD chain - is any traffic hitting the rule in FORWARD chain?
iptables -L FORWARD -nvx

If not then you must search for reasons for that - wrong interfaces specified etc.

If the FORWARD rule has nonzero packet count then the problem might be the reverse traffic - from your (internal) server to the client (on the internet).

Is this machine 172.29.4.2 your only firewall (and default gateway on all internal machines)? Does web access work from internal network through this machine? What is the output of command:
cat /proc/sys/net/ipv4/ip_forward

Kevin Turnbull

ASKER

Ok the FORWARD rule seems to be working fine. Yes all my internal servers are using this box as its gateway. I can ping an extrenal DNS server and I can surf the web with no problems. I've also RDP out from the server to another server on the web with no problems.
root@ubuntu:~# cat /proc/sys/net/ipv4/ip_forward
1

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       5      240 ACCEPT     tcp  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           tcp dpt:3389 ctstate NEW,RELATED,ESTABLISHED
       0        0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           ctstate RELATED,ESTABLISHED
       0        0 ACCEPT     all  --  eth1   eth1    0.0.0.0/0            0.0.0.0/0
       0        0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0
       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Open in new window

Kevin Turnbull

ASKER

ok I got the websote to work (a typo on my side) but the RDP still no joys :(

Kevin Turnbull

ASKER

Ok this is very strange I've added my 2nd ip to my server and guess what I edited my rules to reflect my second IP and RDP start to work.
Blaz many many thanks for your help and patents with this

Kevin Turnbull

ASKER

Ok this is very strange I've added my 2nd ip to my server and guess what I edited my rules to reflect my second IP and RDP start to work.

Blaz many many thanks for your help and patents with this

Blaz

Great that you got it working.