?
Solved

iptables internet nat redirection (wan to lan)

Posted on 2015-01-03
9
Medium Priority
?
1,014 Views
Last Modified: 2015-02-02
I am trying to setup a Linux/iptables router to redirect forwarded ports from the outside/wan interface to an IP address on the inside/LAN network.  This works fine from outside of the internal network, but I also want this to happen inside the internal network.  I have read several examples and it looks like it should be working, however it is not.  I am working on redirecting port 443 currently.  In the script below the outside interface (eth0) IP is 1.2.3.4 and inside interface (eth1) IP is 192.168.1.254.  The internal server I want to redirect port 443 to is 192.168.1.10.  This is a /24 network so the network address is 192.168.1.0/24.  Can anyone see what I am doing wrong in the script below?

# Setting default INPUT policy to DROP
/sbin/iptables -P INPUT DROP

/sbin/iptables -A INPUT -j ACCEPT -s 192.168.1.0/24 -d 0.0.0.0/0
/sbin/iptables -A INPUT -j ACCEPT -s 1.2.3.4 -d 0.0.0.0/0
/sbin/iptables -A INPUT -j ACCEPT -s 0.0.0.0/0 -d 0.0.0.0/0 -i lo
/sbin/iptables -A INPUT -j ACCEPT -s 0.0.0.0/0 -d 0.0.0.0/0 -i eth0 -m state --state RELATED,ESTABLISHED
/sbin/iptables -A INPUT -j ACCEPT -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0

/sbin/iptables -A INPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 --log-prefix ' ##INPUT DENY LOG## '

#  =====================================
#  ========== Outgoing Rules ===========
#  =====================================

# Setting default OUTPUT policy to ACCEPT
/sbin/iptables -P OUTPUT ACCEPT

/sbin/iptables -A OUTPUT -j ACCEPT -s 0.0.0.0/0 -d 192.168.1.0/24
/sbin/iptables -A OUTPUT -j ACCEPT -s 0.0.0.0/0 -d 0.0.0.0/0 -o lo
/sbin/iptables -A OUTPUT -j ACCEPT -s 0.0.0.0/0 -d 0.0.0.0/0 -o tun+
/sbin/iptables -A OUTPUT -j ACCEPT -s 0.0.0.0/0 -d 0.0.0.0/0 -o eth0 -m state --state RELATED,ESTABLISHED
/sbin/iptables -A OUTPUT -j ACCEPT -s 1.2.3.4/32 -d 1.2.3.4/32
/sbin/iptables -A OUTPUT -j ACCEPT -s 192.168.1.0/24 -d 0.0.0.0/0
/sbin/iptables -A OUTPUT -j ACCEPT -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0
/sbin/iptables -A OUTPUT -j ACCEPT -s 1.2.3.4 -d 0.0.0.0/0

/sbin/iptables -A OUTPUT -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 --log-prefix ' ##OUTPUT ACCEPT LOG## '

#  ======================================
#  ========== Forwarded Rules ===========
#  ======================================

# Setting default forward policy to DROP
/sbin/iptables -P FORWARD DROP

# Allow VPN traffic for openvpn tunnels
/sbin/iptables -A FORWARD -j ACCEPT -i tun+
/sbin/iptables -A FORWARD -j ACCEPT -o tun+

# Allow normal NAT operations
/sbin/iptables -A FORWARD -j ACCEPT -s 0.0.0.0/0 -d 0.0.0.0/0 -m state --state RELATED,ESTABLISHED
/sbin/iptables -A FORWARD -j ACCEPT -s 0.0.0.0/0 -d 192.168.1.0/24
/sbin/iptables -A FORWARD -j ACCEPT -s 192.168.1.0/24 -d 0.0.0.0/0

# Log everything else
/sbin/iptables -A FORWARD -j LOG -s 0.0.0.0/0 -d 0.0.0.0/0 --log-prefix ' ##FORWARD DENY LOG## '

#  ======================================
#  ========== Prerouting Rules ==========
#  ======================================

/sbin/iptables -t nat -A PREROUTING -j DNAT -p tcp -s 0.0.0.0/0 -d 1.2.3.4 --dport 443 --to 192.168.1.10

#  ======================================
#  ========= Postrouting Rules ==========
#  ======================================

# Forward all INTERNAL traffic to the correct INTERNAL IP
/sbin/iptables -t nat -A POSTROUTING -j SNAT -s 192.168.1.0/24 -d 192.168.1.10 --to-source 192.168.1.254

# Masquerade everything else
/sbin/iptables -t nat -A POSTROUTING -j SNAT -s 0.0.0.0/0 -d 0.0.0.0/0 -o eth0 --to-source 1.2.3.4

Open in new window

0
Comment
Question by:bdhtechnology
  • 4
  • 4
9 Comments
 
LVL 81

Assisted Solution

by:arnold
arnold earned 1000 total points
ID: 40529758
To deal with outgoing traffic, you need to deal with the NAT table output, POSTrouting.

You would also use SNAT.

There is a graphical depiction to which I do not have a link at hand, it depicts the iptable stracture
Look for linux as a router,
Input forward PREROUTING output dealswith external to internal traffic,
You need to work on the other table and reversing the path.
0
 
LVL 81

Expert Comment

by:arnold
ID: 40529766
Look at http://www.fwbuilder.org which may help you withthe control of the outgoing traffic.

--to-address 192.168.1.10/24 ....

Your IPtables rules seem wrong using NAT IPs.

You should use interface designations to make sure which you are dealing with.
0
 
LVL 1

Author Comment

by:bdhtechnology
ID: 40530152
That looks like an interesting tool, though I would have to learn a new tool to figure this one out :)

I feel like it is pretty close, when I examine the logs I see each of the rules has an equal number of packets, so they are being run, but I believe something is just a bit off.

Here are the 2 rules I am working with specifically.  I will try to find the page with the example I am working off of

iptables -t nat -A PREROUTING -j DNAT -p tcp -s 0.0.0.0/0 -d 1.2.3.4 --dport 443 --to 192.168.1.10
iptables -t nat -A POSTROUTING -j SNAT -s 192.168.1.0/24 -d 192.168.1.10 --to-source 192.168.1.254
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 81

Expert Comment

by:arnold
ID: 40530180
Th ile needs to be in input and forward.

Is your setup is such that your linu box is functioning as a router.

Often I oukd suggest you relate IP chains
On using the wan interface -i interface as the limiter
I.e. This way you can add a rule to the chain and it will result in the addition of the same rule to the two appropriate input PREROUTING, forward on one side incoming rules
Nd no thr using outgoing rules fom the LAN interface.

Your second one, you oukd not use SNAT to alter the source IP as 1.254 but rather alter the source to reflect the WAN IP you want the packet to appear as originating.
This deals ith you having multiple public IPs 1.2.3.4 1.2.3.5 1.2.3.6
SNAT would reflect the 1.2.3.5 when the internal source is 192.168.1.10

Or m I not understanding hat you want your main wan IP is 1.2.3.4
Internet access to1.2.3.5:443 you want to end up on server 192.168.1.10:443
You then want the response to appear as originating from 1.2.3.5 to match
0
 
LVL 1

Author Comment

by:bdhtechnology
ID: 40530873
Yes the Linux box is functioning as a router.  

Basically all I want is packets sent to the main WAN IP of 1.2.3.4 on port 443 to be redirected to 192.168.1.10 on port 443.  It doesn't matter to me if the response appears as originating from the WAN IP or the local IP address of the device, as long as they can access it.
0
 
LVL 81

Expert Comment

by:arnold
ID: 40530895
iptables -t nat -I PREROUTING 4 --dport 443 -t tcp -m tcp --to 192.168.1.10:443 -j DNAT
iptables  -I FORWARD 1 -m tcp -p tcp --dport 443 --to 192.168.1.10:443 -j ACCEPT

-I tells it  to insert the instruction, number 4 tells it to on line 4.

see if that solves your issue.

There are many linus as router/prot forward examples,
http://www.fclose.com/816/port-forwarding-using-iptables/ is one.

Using IP chains, is often better as you can your own created IPCHAIN
with interface restriction and the type.

Then when you add a rule to the chain, it will be reflected in both PREROUTING and FORWARDING on the incoming side
0
 
LVL 35

Assisted Solution

by:Duncan Roe
Duncan Roe earned 1000 total points
ID: 40532228
I think you want to leave the source address of internally generated --dport 443 packets alone. The replies will go to the right systems, bypassing the router.
0
 
LVL 1

Accepted Solution

by:
bdhtechnology earned 0 total points
ID: 40575971
This is apparently working, except from  the server itself.
0
 
LVL 1

Author Closing Comment

by:bdhtechnology
ID: 40583578
started working
0

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have written articles previously comparing SARDU and YUMI.  I also included a couple of lines about Easy2boot (easy2boot.com).  I have now been using, and enjoying easy2boot as my sole multiboot utility for some years and realize that it deserves …
Often times it's very very easy to extend a volume on a Linux instance in AWS, but impossible to shrink it. I wanted to contribute to the experts-exchange community a way of providing a procedure that works on an AWS instance. It can also be used on…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month12 days, 19 hours left to enroll

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question