iptables, need to permit hosts

Mark
Mark used Ask the Experts™
on
I'm trying to permit a certain host to access ports 22,80 and 443 on a firewall which redirects these requests to another host (lines 11 and 15, below). Also, I want any request to ports 20028 and 8084 to be directed to ports 22 and 80, respectively to the firewall itself (line 13). The redirection of 22 works fine to the other host, but the port redirection of 20028 only works if the source is the restricted source for the port 22. The firewall's IP is xx.xx.xx.110:
    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    iptables --append FORWARD --in-interface eth1 -j ACCEPT

    iptables -P INPUT DROP

    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i eth1 -j ACCEPT

    iptables -A INPUT -i eth0 -p tcp -m multiport --dports 20028,8084 -j ACCEPT
    iptables -A INPUT -i eth0 -s 98.102.63.106 -p tcp --syn -m multiport --dports 22,80,443 -j ACCEPT

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 20028 -j REDIRECT --to-port 22

    iptables -t nat -A PREROUTING -i eth0 -s 98.102.63.106 -p tcp --dport 22 -j DNAT --to-destination 192.168.168.10:22

Open in new window

So, ssh'ing to xx.xx.xx.110 from 98.102.63.106 works and gets me to 192.168.168.10.

ssh'ing to port 20028 on xx.xx.xx.110 from 89.102.63.106 works and gets me to xx.xx.xx.110. It's as if the iptables rule is paying attention to the -s parameter of the other rule.

ssh'ing to port 20028 on xx.xx.xx.110 from any IP other than 98.102.63.106 does not work no connection.

This last thing is what I want to solve. Basically, I want to ssh from any computer whatsoever to xx.xx.xx.110:2028 and get to the firewall itself:

ssh -p 20028 user@xx.xx.xx.110

How do I fix this?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
Not sure I understand, but your PREROUTING rule for port 20028 line 13 to refirect to port 22.  I do not see DNAt rules where you alter the destination of the packet.
13 is then followed by the port 22 accept rule on line 15.

Try swapping the order moving line 13 below line 15

iptables -t NAT -L PREROUTING --line-numbers

Iptables has an option I think that you can use the information from the above command to move/change the order of the rule either shifting one down line 13 of the above or moving line 15 above the line-number reported for line 13 above.

Unfortunately, I do not see what the circumstance is.

Author

Commented:
Nope that didn't help.

Here's the circumstance: YOU should be able to `ssh -p 20028 98.102.63.110` and get a login prompt. But you can't unless you are doing it from 98.102.63.106.
> iptables -t nat -L PREROUTING -n -v  --line-numbers
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 DNAT       tcp  --  eth0   *       98.102.63.106        0.0.0.0/0            tcp dpt:22 to:192.168.168.10:22
2        7   420 REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:20028 redir ports 22

Open in new window

Distinguished Expert 2017

Commented:
Where is this iptable running?

What is the test that you are doing?

Are you trying to mimic the functionality using a Linux box.  Note your iptable -v report all packets matched the redirect rule.

I think I understand what you want to achieve by using a Linux box as a firewall/router.

Depending on the router you have, it can enforce source based access while adding to the overhead impact.
Usually the rule INPUT should, include --to-address -j DNAT


Could you post the sequential out
iptables -t filter -L --line-numbers
iptables -t nat -L --line-numbers
Iptables -t DNAT -L --line-numbers
Iptables -t MASQUERADE -L --line-numbers
Iptables -t SNAT -L --line-numbers

There is a good right up Linux as a router as well as for explaining the flow fo iptables.
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

Author

Commented:
Where is this iptable running?
On the firewall, yes, it is a linux box.
What is the test that you are doing?
I do have a linux box at 192.168.168.10 which is a stand-in for the Samsung phone system. However, the Samsung will be the same IP and one should get a login prompt on that when ssh'd to as well. When all is said and done, the IP's redirecting to the Samsung will be restricted to the Phone Company's IPs. Right now, it is restricted to an IP I have access to for testing: 98.102.63.10. That redirection works.

What I also want to be able to do is ssh into the firewall itself using port 20028.

I think I'm getting closer. It occured to me that I don't actually have port 22 open for the firewall (line 10 in initial posting). I've added that in and now I can `ssh -p 20028 98.102.63.110` from any Internet host and get a login prompt. You should be able to too.

The problem is that I can also `ssh 98.102.63.110` and get a login prompt for the firewall.

Before posting all the iptables -L stuff, let me scratch my head a bit on this last puzzle. I want:

if I `ssh 98.102.63.110` from 98.102.63.106 I want to redirect to 192.168.168.10 (works)

if I `ssh -p 20028 98.102.63.110` from any host, anywhere I want to get a login prompt for the firewall. That now works.

If I `ssh 98.102.63.110` from anywhere other than 98.102.63.106 I want no connect. (currently doesn't work). Perhaps I need to finish my rules with a --dport 22 -j DROP?
Distinguished Expert 2017

Commented:
There are two different sections.  To access your firewall your input/FORWARD will control access
To pass through the firewall you use the INPUT/PREROUTING

Line 15 only applies when the source is matched
Since your input accept port 22 connection, when the source is matched, the packet function as port forwarding is enforced is sent to the samsung when it falls through, the forwarding policy will allow the packet to hit the firewalls ssh server.
Distinguished Expert 2017

Commented:
Retread, your last post you said you open port 22.

Look at the Iptables -L INPUT -n --line-numbers
The only port 22 you should have open is with the source restriction

Is there a router before the Linux firewall where you have port forwarding setup?

Author

Commented:
The only port 22 you should have open is with the source restriction
Yes, you're right. That was a silly change on my part. Esp. since I can get to the firewall by `ssh -p 20028 ...` on the host 98.102.63.106. So clearly adding it to the non-restricted list was dumb.
Is there a router before the Linux firewall where you have port forwarding setup?
No. The firewall is connected directly to the Internet (ISP's cable modem) and the "Samsung" surrogate (192.168.168.10) is connected directly the the firewall's eth1.

So, here are the iptables listings you asked for:

iptables -t filter -L --line-numbers
> iptables -t filter -L -n --line-numbers
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 20028,8084
5    ACCEPT     tcp  --  98.102.63.106        0.0.0.0/0            tcp flags:0x17/0x02 multiport dports 22,80,443

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Open in new window

iptables -t nat -L --line-numbers
> iptables -t nat -L -n --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:20028 redir ports 22
2    DNAT       tcp  --  98.102.63.106        0.0.0.0/0            tcp dpt:22 to:192.168.168.10:22

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Open in new window

Iptables -t DNAT -L --line-numbers
> iptables -t DNAT -L -n --line-numbers
iptables v1.4.20: can't initialize iptables table `DNAT': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Open in new window

Iptables -t MASQUERADE -L --line-numbers
> iptables -t MASQUERADE -L -n --line-numbers
iptables v1.4.20: can't initialize iptables table `MASQUERADE': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Open in new window

Iptables -t SNAT -L --line-numbers
> iptables -t SNAT -L -n --line-numbers
iptables v1.4.20: can't initialize iptables table `SNAT': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Open in new window

And just to round it out:
> iptables -L -n --line-numbers
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 20028,8084
5    ACCEPT     tcp  --  98.102.63.106        0.0.0.0/0            tcp flags:0x17/0x02 multiport dports 22,80,443

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Open in new window

Distinguished Expert 2017

Commented:
MASQUErade, DNAT and SNAT
MASQUERADE/SNAT is needed if you have multiple public IPs and you need certain traffic to leave your firewall on a different IP than the primary/first public IP.

SNAT alters the source IP before it leaves POSTROUTING/OUTPUT going out from your firewall.

SNAT/masquerade might be a chain on the nat side, file DNST is in the filter side

Marking/tagging packets can also be used to maintain paths.

IPS/IDS using snort is then not needed for deep packet inspection.

I think in the current configuration you have what you wanted.

See whether a VPN is possible to secure the traffic to your Samsung from the provider. I.e, IPSec VPN allowing specific traffic/ports within the tunnel traffic.

Author

Commented:
re. VPN - I don't want to add another layer of complexity.

I think in the current configuration you have what you wanted.
Well, not quite, and there must be a a way to fix this.

I cannot ssh to port 20028 (redirected to 22) on the firewall unless doing so from the restricted computer 98.102.63.106. There must be a way! I suppose I could change the ListenAddress in sshd_conf, but surely there is a way to do this via iptables?!

I'm guessing the problem is that 20028 is redirected to 22, but 22 is not in the INPUT's allowed port list. It works from the restricted host because 22 is in its allowed list.

With all that iptables can do, there must be away around this?
Distinguished Expert 2017
Commented:
Instead of redirect use the --to-destination 192.168.0.1:22  to route this traffic to a specific IP of the firewall itself port which then

A redirect to port 22 forces a reprocess rule to grant access

Do you have multiple public IP?
Where a rule -d IP1 for firewall
-d IP2 for another internal system
...
Commented:
Instead of redirect use the --to-destination 192.168.0.1:22  to route this traffic to a specific IP of the firewall itself port
I don't have 192.168.0.1 available, but I tried 127.0.0.1:22 -- didn't work.
A redirect to port 22 forces a reprocess rule to grant access
I think that's the fundamental problem. Redirecting to port 22 apparently does reprocess the rule for that port, and since that port is not opened except from the source 98.102.63.106, there is no connection from any other source. Maybe it simply can't be done.
Do you have multiple public IP?
No.

To solve the problem, I'll just put "Listen 8084" in httpd.conf and "port 20028" in sshd_conf. Then, no redirection needed at all in iptables. I've tried that and it works. Here's what I end up with:
    iptables -P INPUT DROP

    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i eth1 -j ACCEPT

    iptables -A INPUT -i eth0 -p tcp -m multiport --dports 20028,8084 -j ACCEPT
    iptables -A INPUT -i eth0 -s 98.102.63.106 -p tcp --syn -m multiport --dports 22,80,443 -j ACCEPT

    iptables -t nat -A PREROUTING -i eth0 -s 98.102.63.106 -p tcp --dport 22 -j DNAT --to-destination 192.168.168.10:22
    iptables -t nat -A PREROUTING -i eth0 -s 98.102.63.106 -p tcp --dport 80 -j DNAT --to-destination 192.168.168.10:80
    iptables -t nat -A PREROUTING -i eth0 -s 98.102.63.106 -p tcp --dport 443 -j DNAT --to-destination 192.168.168.10:443

Open in new window

When all is said and done, I'll need 3 permitted IPs, not just the one. That, times 3 ports (22,80,443) will give me 9 rules like the last 3 shown. Any idea on how to consolidate that? Otherwise, I'll consider this question resolved and keep my eye open for some iptables posting somewhere that lets me do what I wanted originally ... if such is possible.
Distinguished Expert 2017

Commented:
You can not redirect to 127.0.0.1 the response will originate from that IP and ... Will not be able to complete a TCP connection.

What IP does the firewall have, use the LAN side default gateway IP in the --to-destination.

Author

Commented:
What IP does the firewall have, use the LAN side default gateway IP in the --to-destination.
The firewall IP is 98.102.63.110, the gateway is 98.102.63.105. There are 2 LAN-side cards which are the gateways for those LANs: 192.168.168.1, 192.168.1.1. Not sure what you mean by "98.102.63.110". Can you show me?
Distinguished Expert 2017

Commented:
You would have the

iptables -A PREROUTING -i eth0 -m tcp -p tcp --dport 20028 --to-destination 192.168.168.1:22 -j DNAT

Author

Commented:
As Arnold pointed out, redirecting to port 22 forces the iptables rule for that port to be reapplied, which blocks it. I solved the problem by having sshd accept connections on port 20028 instead of 22.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial