Iptable forwarding code needed

Steven E. Protter · ‎06-29-2004

I need to forward port 47 and 1723 and maybe 500,1701, and 4500 to an internal Windows 2003 Server.

I have looked at many suggestions but need a proven Windows 2003 Server solution.

See this thread if there are issues that need to be dealt with on the Windows 2003 Server side.

Linux ES 3.0 2.4.x kernel iptables, two NIC. eth0 is on the public internet, eth1 is on the internal.

I am travelling the next two weeks, but can reconfigure the firewall. I can't test it and there may be a long delay in point assignment.

Points for all participation, but if the solution isn't proven to work with Windows 2003 Server you have no chance of getting bunny or near bunny pointage.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Steven E. Protter · ‎06-29-2004

The link:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=624076

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Stuart Browne · ‎06-29-2004

(Re-type 2: I hit 'clear' instead of preview *sob*sob*sob*)

Although not tested with W2K3 specifically, the following rules are the sort of things required:

filter:-

iptables -t filter -N VPNIn
iptables -t filter -N VPNOut

iptables -t filter -A VPNIn -p tcp --dport 47 -j ACCEPT
iptables -t filter -A VPNIn -p tcp --dport 500 -j ACCEPT
iptables -t filter -A VPNIn -p tcp --dport 1701 -j ACCEPT
iptables -t filter -A VPNIn -p tcp --dport 1723 -j ACCEPT
iptables -t filter -A VPNIn -p tcp --dport 4500 -j ACCEPT

iptables -t filter -A VPNOut -p tcp --sport 47 -j ACCEPT
iptables -t filter -A VPNOut -p tcp --sport 500 -j ACCEPT
iptables -t filter -A VPNOut -p tcp --sport 1701 -j ACCEPT
iptables -t filter -A VPNOut -p tcp --sport 1723 -j ACCEPT
iptables -t filter -A VPNOut -p tcp --sport 4500 -j ACCEPT

iptables -t filter -I FORWARD -j VPNIn -i eth0 -o eth1
iptables -t filter -I FORWARD -j VPNOut -i eth1 -o eth0

nat:-

iptables -t nat I PREROUTING -j DNAT -i eth0 -p tcp --dport 47 --to W2K3IP:47
iptables -t nat I PREROUTING -j DNAT -i eth0 -p tcp --dport 500 --to W2K3IP:47
iptables -t nat I PREROUTING -j DNAT -i eth0 -p tcp --dport 1701 --to W2K3IP:47
iptables -t nat I PREROUTING -j DNAT -i eth0 -p tcp --dport 1723 --to W2K3IP:47
iptables -t nat I PREROUTING -j DNAT -i eth0 -p tcp --dport 4500 --to W2K3IP:47

Discussion:-

We've done this using W2K before on older Linux boxes, but as we were using a specific VPN style (port 1723), we only had one rule a piece.

As the data will be going both ways, we need the VPNIn traffic (from external sites) and the VPNOut traffic (from the server, you could tie that down to a given '-s W2K3IP' if you wanted, but *shrug*) allowed through the 'FORWARD' chain. A '-m state --state ESTABLISHED,RELATED' might cover it but I'm not 100% sure about that.

The DNAT rules in the Nat tables translate the external connection to the specified ports to the internal machine 'W2K3IP'.

One long-haired git at your service...

Steven E. Protter · ‎07-13-2004

I am sorry for the point delay Stuart. I just don't have access to the Windows 2003 server for tests. I believe your solution will solve the problem and essentially provide my chosen users the access they get on my internal network.

So 10 points without a test. What can I say.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Steven E. Protter · ‎07-23-2004

I'm pretty sure I have this licked but...

I'm willing to hand out another bunny.

The last section of Stuart's code doesn't work. The I option doesn't work and I can't seem to debug it.

The real issue here was the W2K3 server.

The default firewall setup blocked VPN. Since there are already two firewalls inclduing this one between the public Internet and the W2K3 box, I've shut down the firewall on Windows.

Still, I'd like this code to work well.

A bunny for the fix to Stuart's code(8 points if he fixes it himself ) and a bunny for someone two translates it to /etc/sysconfig/iptables format.

Lazy,need the project in the bag. YES!

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Steven E. Protter · ‎07-23-2004

Oh

-I

Duh.

If someone wants to translate this to config format, it would be appreciated and rewarded.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Stuart Browne · ‎07-25-2004

Yea, sorry about that.. Didn't notice it.

For the 'etc/sysconfig/iptables' format, just drop 'iptables -t ' off the head of each of them, and preceed the table section with ':table', i.e.:

:VPNIn - [0:0]
[0:0] -A VPNIn -p tcp --dport 47 -j ACCEPT
[0:0] -A VPNIn -p tcp --dport 500 -j ACCEPT
[0:0] -A VPNIn -p tcp --dport 1701 -j ACCEPT
[0:0] -A VPNIn -p tcp --dport 1723 -j ACCEPT
[0:0] -A VPNIn -p tcp --dport 4500 -j ACCEPT
:VPNOut - [0:0]
[0:0] -A VPNOut -p tcp --sport 47 -j ACCEPT
[0:0] -A VPNOut -p tcp --sport 500 -j ACCEPT
[0:0] -A VPNOut -p tcp --sport 1701 -j ACCEPT
[0:0] -A VPNOut -p tcp --sport 1723 -j ACCEPT
[0:0] -A VPNOut -p tcp --sport 4500 -j ACCEPT

[0:0] -I FORWARD -j VPNIn -i eth0 -o eth1
[0:0] -I FORWARD -j VPNOut -i eth1 -o eth0

[0:0] -I PREROUTING -j DNAT -i eth0 -p tcp --dport 47 --to W2K3IP:47
[0:0] -I PREROUTING -j DNAT -i eth0 -p tcp --dport 500 --to W2K3IP:47
[0:0] -I PREROUTING -j DNAT -i eth0 -p tcp --dport 1701 --to W2K3IP:47
[0:0] -I PREROUTING -j DNAT -i eth0 -p tcp --dport 1723 --to W2K3IP:47
[0:0] -I PREROUTING -j DNAT -i eth0 -p tcp --dport 4500 --to W2K3IP:47

One long-haired git at your service...

Steven E. Protter · ‎07-26-2004

What I did Stuart was this:

service iptables restart

then i ran my corrections on your code as a script.

then i ran iptables-save > /etc/sysconfig/iptables

this of course after a backup.

Worked like a champ.

The only issue I have left is W2K3 Server says it doesn't have a certificate.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Stuart Browne · ‎07-26-2004

Can't help you with that one. Haven't touched W2K3 at all.

One long-haired git at your service...

Steven E. Protter · ‎07-26-2004

Wondering if i should see these little packets passing through on the firewall log. Somehow I'm back to not answering as a response again. Infuriating.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Steven E. Protter · ‎07-26-2004

I'd like a way to verify once and for all if the packets are being passed through. I don't think they are.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Stuart Browne · ‎07-26-2004

Two ways:

1) watch the counters. you should see the packet/byte values for the appropriate rules increase.

2) tcpdump. Tie one to each interface that the packets are traversing, and watch as they come in one, and out the other with a different address.

One long-haired git at your service...

Fred Ruffet · ‎07-26-2004

I'll add three other points to Stuart's :

. Why not temporarly add logging to forwarding rules ? You could then see what's happening.
. Why not try the applications that are acessing this ports and see if they are running ?
. Use telnet on specified ports.

Regards,

Fred

--

"Reality is just a point of view." (P. K. D.)

Steven E. Protter · ‎07-27-2004

Watch the counters?

How? Which ones?

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Steven E. Protter · ‎07-27-2004

09:40:09.738866 shell2.speakeasy.net.56236 > jerusalem.investmenttool.com.1723: S 1612265629:1612265629(0) win 5840 (DF)

So, was the packet forwarded?

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Huc_1 · ‎07-27-2004

SEP to watch network tratic i use iptraf from root if you do not have this use
# tcpdump eth0

then try connection to the "forward port" from a system on the Internet to your ip using

#telnet 'ip_address' 'port_number'

this should feed your "iptraf or tcpdump" and should also log into /etc/var/*

I hope this helps your or else I am not getting the whole picture...

Jean-Pierre

Smile I will feel the difference

Steven E. Protter · ‎07-27-2004

I'm going to run a tcpdump with a full vpn test.

Its now obvious to me that some port that Microsoft needs to authenticate with is being blocked by the firewall.

I say this because on the internal network the VPN connects without error.

So guy's we missed something. I am willing to prove this by forwarding ALL traffic to the Microsoft server.

It would still be useful if someone who actually did a Linux firewall forward to a Windows 2003 VPN server chimed in. We're gonna get this bear.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Huc_1 · ‎07-27-2004

Sorry SEP
Had not read/seen your last message.

I think this means the package has been forwarded but perhaps it is rejected by W-2003

perhaps you could get ethereal for the W-2003 and see what it see ?

Jean-Pierre

Smile I will feel the difference

Steven E. Protter · ‎07-27-2004

Great idea Huc.

Thats why you got the rabbit.

Going to do that. That should prove definitively where the problem is. Gotta know where the issue is before you can fix it.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Steven E. Protter · ‎07-27-2004

Fred,

Though there is no way you could know that, full logging is enabled.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Steven E. Protter · ‎07-27-2004

Need some interpretation on this tcpdump data

18:02:27.768993 dialup-4.158.9.218.Dial1.Chicago1.Level3.net.1584 > 192.168.0.48.47: S 1331588746:1331588746(0) win 8760 (DF)
18:02:29.862213 arp who-has 192.168.0.48 tell 192.168.0.41
18:02:29.862416 arp reply 192.168.0.48 is-at 0:10:83:34:c6:70
18:02:33.784426 dialup-4.158.9.218.Dial1.Chicago1.Level3.net.1584 > 192.168.0.48.47: S 1331588746:1331588746(0) win 8760 (DF)
18:02:49.455061 dialup-4.158.9.218.Dial1.Chicago1.Level3.net.1585 > 192.168.0.48.47: S 1337267886:1337267886(0) win 8760 (DF)
18:02:52.379087 dialup-4.158.9.218.Dial1.Chicago1.Level3.net.1585 > 192.168.0.48.47: S 1337267886:1337267886(0) win 8760 (DF)
18:02:58.393377 dialup-4.158.9.218.Dial1.Chicago1.Level3.net.1585 > 192.168.0.48.47: S 1337267886:1337267886(0) win 8760 (DF)

Info:
192.168.0.48 is the NIC of the Windows 2003 server. This output is off of eth1, which is the internal NIC on the firewall.

Questions:
Does this data indicate packet forwarding?

Does this data indicate the W2K3 server is answering(i think no)?

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Stuart Browne · ‎07-27-2004

Yes, it means the packets are being forwarded to the W2K3 host on port 47.

It also appears as if the W2K3 host isn't responding for some reason.

Do you have a firewall on the W2K3 server which is saying not to respond to things not from your LAN?

The other possibility (of which I've encountered before) is that the W2K3 server doesn't know how to route back to 'dialup-4.158.9.218.Dial1.Chicago1.Level3.net'.

One long-haired git at your service...

Steven E. Protter · ‎07-27-2004

Stuart,

Since the W2K3 box is not responding to pings, I have a problem there. Very crucial whats going on but I think I may be able to dink with it.

I'm not confident the firewall is disabled, but I think I can nail it down with my thread in the Windows side.

Hmmm. Looks like another bunny for Stuart.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Fred Ruffet · ‎07-27-2004

W2K3 not responding to ping :
. One firewall stops ICMP... as long has you know your iptables, it may be that W2K3 firewall running.
. Your Win server does not resolve IP for the pinging machine.

Maybe a thing would be to use nmap from firewall to W2K3 server...

Regards,

Fred

--

"Reality is just a point of view." (P. K. D.)

Steven E. Protter · ‎07-28-2004

Fred,

Please elaborate on your suggestion.

I have disabled the Windows firewall and the box responds to pings.

It just doesn't respond to VPN packets.

SEP

Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Iptable forwarding code needed

Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed

Re: Iptable forwarding code needed