- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Iptable forwarding code needed
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2004 03:45 AM
06-29-2004 03:45 AM
I have looked at many suggestions but need a proven Windows 2003 Server solution.
See this thread if there are issues that need to be dealt with on the Windows 2003 Server side.
Linux ES 3.0 2.4.x kernel iptables, two NIC. eth0 is on the public internet, eth1 is on the internal.
I am travelling the next two weeks, but can reconfigure the firewall. I can't test it and there may be a long delay in point assignment.
Points for all participation, but if the solution isn't proven to work with Windows 2003 Server you have no chance of getting bunny or near bunny pointage.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2004 03:48 AM
06-29-2004 03:48 AM
Re: Iptable forwarding code needed
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=624076
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-29-2004 12:08 PM
06-29-2004 12:08 PM
SolutionAlthough not tested with W2K3 specifically, the following rules are the sort of things required:
filter:-
iptables -t filter -N VPNIn
iptables -t filter -N VPNOut
iptables -t filter -A VPNIn -p tcp --dport 47 -j ACCEPT
iptables -t filter -A VPNIn -p tcp --dport 500 -j ACCEPT
iptables -t filter -A VPNIn -p tcp --dport 1701 -j ACCEPT
iptables -t filter -A VPNIn -p tcp --dport 1723 -j ACCEPT
iptables -t filter -A VPNIn -p tcp --dport 4500 -j ACCEPT
iptables -t filter -A VPNOut -p tcp --sport 47 -j ACCEPT
iptables -t filter -A VPNOut -p tcp --sport 500 -j ACCEPT
iptables -t filter -A VPNOut -p tcp --sport 1701 -j ACCEPT
iptables -t filter -A VPNOut -p tcp --sport 1723 -j ACCEPT
iptables -t filter -A VPNOut -p tcp --sport 4500 -j ACCEPT
iptables -t filter -I FORWARD -j VPNIn -i eth0 -o eth1
iptables -t filter -I FORWARD -j VPNOut -i eth1 -o eth0
nat:-
iptables -t nat I PREROUTING -j DNAT -i eth0 -p tcp --dport 47 --to W2K3IP:47
iptables -t nat I PREROUTING -j DNAT -i eth0 -p tcp --dport 500 --to W2K3IP:47
iptables -t nat I PREROUTING -j DNAT -i eth0 -p tcp --dport 1701 --to W2K3IP:47
iptables -t nat I PREROUTING -j DNAT -i eth0 -p tcp --dport 1723 --to W2K3IP:47
iptables -t nat I PREROUTING -j DNAT -i eth0 -p tcp --dport 4500 --to W2K3IP:47
Discussion:-
We've done this using W2K before on older Linux boxes, but as we were using a specific VPN style (port 1723), we only had one rule a piece.
As the data will be going both ways, we need the VPNIn traffic (from external sites) and the VPNOut traffic (from the server, you could tie that down to a given '-s W2K3IP' if you wanted, but *shrug*) allowed through the 'FORWARD' chain. A '-m state --state ESTABLISHED,RELATED' might cover it but I'm not 100% sure about that.
The DNAT rules in the Nat tables translate the external connection to the specified ports to the internal machine 'W2K3IP'.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-13-2004 06:59 AM
07-13-2004 06:59 AM
Re: Iptable forwarding code needed
So 10 points without a test. What can I say.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2004 07:22 AM
07-23-2004 07:22 AM
Re: Iptable forwarding code needed
I'm willing to hand out another bunny.
The last section of Stuart's code doesn't work. The I option doesn't work and I can't seem to debug it.
The real issue here was the W2K3 server.
The default firewall setup blocked VPN. Since there are already two firewalls inclduing this one between the public Internet and the W2K3 box, I've shut down the firewall on Windows.
Still, I'd like this code to work well.
A bunny for the fix to Stuart's code(8 points if he fixes it himself ) and a bunny for someone two translates it to /etc/sysconfig/iptables format.
Lazy,need the project in the bag. YES!
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-23-2004 07:25 AM
07-23-2004 07:25 AM
Re: Iptable forwarding code needed
-I
Duh.
If someone wants to translate this to config format, it would be appreciated and rewarded.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-25-2004 12:48 PM
07-25-2004 12:48 PM
Re: Iptable forwarding code needed
For the 'etc/sysconfig/iptables' format, just drop 'iptables -t
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2004 04:16 AM
07-26-2004 04:16 AM
Re: Iptable forwarding code needed
service iptables restart
then i ran my corrections on your code as a script.
then i ran iptables-save > /etc/sysconfig/iptables
this of course after a backup.
Worked like a champ.
The only issue I have left is W2K3 Server says it doesn't have a certificate.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2004 11:44 AM
07-26-2004 11:44 AM
Re: Iptable forwarding code needed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2004 01:14 PM
07-26-2004 01:14 PM
Re: Iptable forwarding code needed
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2004 01:43 PM
07-26-2004 01:43 PM
Re: Iptable forwarding code needed
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2004 05:15 PM
07-26-2004 05:15 PM
Re: Iptable forwarding code needed
1) watch the counters. you should see the packet/byte values for the appropriate rules increase.
2) tcpdump. Tie one to each interface that the packets are traversing, and watch as they come in one, and out the other with a different address.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-26-2004 10:13 PM
07-26-2004 10:13 PM
Re: Iptable forwarding code needed
. Why not temporarly add logging to forwarding rules ? You could then see what's happening.
. Why not try the applications that are acessing this ports and see if they are running ?
. Use telnet on specified ports.
Regards,
Fred
"Reality is just a point of view." (P. K. D.)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2004 02:45 AM
07-27-2004 02:45 AM
Re: Iptable forwarding code needed
How? Which ones?
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2004 02:53 AM
07-27-2004 02:53 AM
Re: Iptable forwarding code needed
So, was the packet forwarded?
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2004 04:31 AM
07-27-2004 04:31 AM
Re: Iptable forwarding code needed
# tcpdump eth0
then try connection to the "forward port" from a system on the Internet to your ip using
#telnet 'ip_address' 'port_number'
this should feed your "iptraf or tcpdump" and should also log into /etc/var/*
I hope this helps your or else I am not getting the whole picture...
Jean-Pierre
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2004 04:38 AM
07-27-2004 04:38 AM
Re: Iptable forwarding code needed
Its now obvious to me that some port that Microsoft needs to authenticate with is being blocked by the firewall.
I say this because on the internal network the VPN connects without error.
So guy's we missed something. I am willing to prove this by forwarding ALL traffic to the Microsoft server.
It would still be useful if someone who actually did a Linux firewall forward to a Windows 2003 VPN server chimed in. We're gonna get this bear.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2004 04:38 AM
07-27-2004 04:38 AM
Re: Iptable forwarding code needed
Had not read/seen your last message.
I think this means the package has been forwarded but perhaps it is rejected by W-2003
perhaps you could get ethereal for the W-2003 and see what it see ?
Jean-Pierre
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2004 04:58 AM
07-27-2004 04:58 AM
Re: Iptable forwarding code needed
Thats why you got the rabbit.
Going to do that. That should prove definitively where the problem is. Gotta know where the issue is before you can fix it.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2004 04:59 AM
07-27-2004 04:59 AM
Re: Iptable forwarding code needed
Though there is no way you could know that, full logging is enabled.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2004 11:04 AM
07-27-2004 11:04 AM
Re: Iptable forwarding code needed
18:02:27.768993 dialup-4.158.9.218.Dial1.Chicago1.Level3.net.1584 > 192.168.0.48.47: S 1331588746:1331588746(0) win 8760
18:02:29.862213 arp who-has 192.168.0.48 tell 192.168.0.41
18:02:29.862416 arp reply 192.168.0.48 is-at 0:10:83:34:c6:70
18:02:33.784426 dialup-4.158.9.218.Dial1.Chicago1.Level3.net.1584 > 192.168.0.48.47: S 1331588746:1331588746(0) win 8760
18:02:49.455061 dialup-4.158.9.218.Dial1.Chicago1.Level3.net.1585 > 192.168.0.48.47: S 1337267886:1337267886(0) win 8760
18:02:52.379087 dialup-4.158.9.218.Dial1.Chicago1.Level3.net.1585 > 192.168.0.48.47: S 1337267886:1337267886(0) win 8760
18:02:58.393377 dialup-4.158.9.218.Dial1.Chicago1.Level3.net.1585 > 192.168.0.48.47: S 1337267886:1337267886(0) win 8760
Info:
192.168.0.48 is the NIC of the Windows 2003 server. This output is off of eth1, which is the internal NIC on the firewall.
Questions:
Does this data indicate packet forwarding?
Does this data indicate the W2K3 server is answering(i think no)?
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2004 11:54 AM
07-27-2004 11:54 AM
Re: Iptable forwarding code needed
It also appears as if the W2K3 host isn't responding for some reason.
Do you have a firewall on the W2K3 server which is saying not to respond to things not from your LAN?
The other possibility (of which I've encountered before) is that the W2K3 server doesn't know how to route back to 'dialup-4.158.9.218.Dial1.Chicago1.Level3.net'.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2004 03:02 PM
07-27-2004 03:02 PM
Re: Iptable forwarding code needed
Since the W2K3 box is not responding to pings, I have a problem there. Very crucial whats going on but I think I may be able to dink with it.
I'm not confident the firewall is disabled, but I think I can nail it down with my thread in the Windows side.
Hmmm. Looks like another bunny for Stuart.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-27-2004 10:02 PM
07-27-2004 10:02 PM
Re: Iptable forwarding code needed
. One firewall stops ICMP... as long has you know your iptables, it may be that W2K3 firewall running.
. Your Win server does not resolve IP for the pinging machine.
Maybe a thing would be to use nmap from firewall to W2K3 server...
Regards,
Fred
"Reality is just a point of view." (P. K. D.)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-28-2004 03:19 AM
07-28-2004 03:19 AM
Re: Iptable forwarding code needed
Please elaborate on your suggestion.
I have disabled the Windows firewall and the box responds to pings.
It just doesn't respond to VPN packets.
SEP
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com