Operating System - Linux
1827459 Members
3912 Online
109965 Solutions
New Discussion

Iptable forwarding code needed

 
SOLVED
Go to solution
Steven E. Protter
Exalted Contributor

Iptable forwarding code needed

I need to forward port 47 and 1723 and maybe 500,1701, and 4500 to an internal Windows 2003 Server.

I have looked at many suggestions but need a proven Windows 2003 Server solution.

See this thread if there are issues that need to be dealt with on the Windows 2003 Server side.

Linux ES 3.0 2.4.x kernel iptables, two NIC. eth0 is on the public internet, eth1 is on the internal.

I am travelling the next two weeks, but can reconfigure the firewall. I can't test it and there may be a long delay in point assignment.

Points for all participation, but if the solution isn't proven to work with Windows 2003 Server you have no chance of getting bunny or near bunny pointage.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
25 REPLIES 25
Steven E. Protter
Exalted Contributor

Re: Iptable forwarding code needed

The link:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=624076

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Stuart Browne
Honored Contributor
Solution

Re: Iptable forwarding code needed

(Re-type 2: I hit 'clear' instead of preview *sob*sob*sob*)

Although not tested with W2K3 specifically, the following rules are the sort of things required:

filter:-

iptables -t filter -N VPNIn
iptables -t filter -N VPNOut

iptables -t filter -A VPNIn -p tcp --dport 47 -j ACCEPT
iptables -t filter -A VPNIn -p tcp --dport 500 -j ACCEPT
iptables -t filter -A VPNIn -p tcp --dport 1701 -j ACCEPT
iptables -t filter -A VPNIn -p tcp --dport 1723 -j ACCEPT
iptables -t filter -A VPNIn -p tcp --dport 4500 -j ACCEPT

iptables -t filter -A VPNOut -p tcp --sport 47 -j ACCEPT
iptables -t filter -A VPNOut -p tcp --sport 500 -j ACCEPT
iptables -t filter -A VPNOut -p tcp --sport 1701 -j ACCEPT
iptables -t filter -A VPNOut -p tcp --sport 1723 -j ACCEPT
iptables -t filter -A VPNOut -p tcp --sport 4500 -j ACCEPT

iptables -t filter -I FORWARD -j VPNIn -i eth0 -o eth1
iptables -t filter -I FORWARD -j VPNOut -i eth1 -o eth0

nat:-

iptables -t nat I PREROUTING -j DNAT -i eth0 -p tcp --dport 47 --to W2K3IP:47
iptables -t nat I PREROUTING -j DNAT -i eth0 -p tcp --dport 500 --to W2K3IP:47
iptables -t nat I PREROUTING -j DNAT -i eth0 -p tcp --dport 1701 --to W2K3IP:47
iptables -t nat I PREROUTING -j DNAT -i eth0 -p tcp --dport 1723 --to W2K3IP:47
iptables -t nat I PREROUTING -j DNAT -i eth0 -p tcp --dport 4500 --to W2K3IP:47

Discussion:-

We've done this using W2K before on older Linux boxes, but as we were using a specific VPN style (port 1723), we only had one rule a piece.

As the data will be going both ways, we need the VPNIn traffic (from external sites) and the VPNOut traffic (from the server, you could tie that down to a given '-s W2K3IP' if you wanted, but *shrug*) allowed through the 'FORWARD' chain. A '-m state --state ESTABLISHED,RELATED' might cover it but I'm not 100% sure about that.

The DNAT rules in the Nat tables translate the external connection to the specified ports to the internal machine 'W2K3IP'.
One long-haired git at your service...
Steven E. Protter
Exalted Contributor

Re: Iptable forwarding code needed

I am sorry for the point delay Stuart. I just don't have access to the Windows 2003 server for tests. I believe your solution will solve the problem and essentially provide my chosen users the access they get on my internal network.

So 10 points without a test. What can I say.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven E. Protter
Exalted Contributor

Re: Iptable forwarding code needed

I'm pretty sure I have this licked but...

I'm willing to hand out another bunny.

The last section of Stuart's code doesn't work. The I option doesn't work and I can't seem to debug it.

The real issue here was the W2K3 server.

The default firewall setup blocked VPN. Since there are already two firewalls inclduing this one between the public Internet and the W2K3 box, I've shut down the firewall on Windows.

Still, I'd like this code to work well.

A bunny for the fix to Stuart's code(8 points if he fixes it himself ) and a bunny for someone two translates it to /etc/sysconfig/iptables format.

Lazy,need the project in the bag. YES!

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven E. Protter
Exalted Contributor

Re: Iptable forwarding code needed

Oh

-I

Duh.

If someone wants to translate this to config format, it would be appreciated and rewarded.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Stuart Browne
Honored Contributor

Re: Iptable forwarding code needed

Yea, sorry about that.. Didn't notice it.

For the 'etc/sysconfig/iptables' format, just drop 'iptables -t ' off the head of each of them, and preceed the table section with ':table', i.e.:


:VPNIn - [0:0]
[0:0] -A VPNIn -p tcp --dport 47 -j ACCEPT
[0:0] -A VPNIn -p tcp --dport 500 -j ACCEPT
[0:0] -A VPNIn -p tcp --dport 1701 -j ACCEPT
[0:0] -A VPNIn -p tcp --dport 1723 -j ACCEPT
[0:0] -A VPNIn -p tcp --dport 4500 -j ACCEPT
:VPNOut - [0:0]
[0:0] -A VPNOut -p tcp --sport 47 -j ACCEPT
[0:0] -A VPNOut -p tcp --sport 500 -j ACCEPT
[0:0] -A VPNOut -p tcp --sport 1701 -j ACCEPT
[0:0] -A VPNOut -p tcp --sport 1723 -j ACCEPT
[0:0] -A VPNOut -p tcp --sport 4500 -j ACCEPT

[0:0] -I FORWARD -j VPNIn -i eth0 -o eth1
[0:0] -I FORWARD -j VPNOut -i eth1 -o eth0



[0:0] -I PREROUTING -j DNAT -i eth0 -p tcp --dport 47 --to W2K3IP:47
[0:0] -I PREROUTING -j DNAT -i eth0 -p tcp --dport 500 --to W2K3IP:47
[0:0] -I PREROUTING -j DNAT -i eth0 -p tcp --dport 1701 --to W2K3IP:47
[0:0] -I PREROUTING -j DNAT -i eth0 -p tcp --dport 1723 --to W2K3IP:47
[0:0] -I PREROUTING -j DNAT -i eth0 -p tcp --dport 4500 --to W2K3IP:47
One long-haired git at your service...
Steven E. Protter
Exalted Contributor

Re: Iptable forwarding code needed

What I did Stuart was this:

service iptables restart

then i ran my corrections on your code as a script.

then i ran iptables-save > /etc/sysconfig/iptables

this of course after a backup.

Worked like a champ.

The only issue I have left is W2K3 Server says it doesn't have a certificate.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Stuart Browne
Honored Contributor

Re: Iptable forwarding code needed

Can't help you with that one. Haven't touched W2K3 at all.
One long-haired git at your service...
Steven E. Protter
Exalted Contributor

Re: Iptable forwarding code needed

Wondering if i should see these little packets passing through on the firewall log. Somehow I'm back to not answering as a response again. Infuriating.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven E. Protter
Exalted Contributor

Re: Iptable forwarding code needed

I'd like a way to verify once and for all if the packets are being passed through. I don't think they are.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Stuart Browne
Honored Contributor

Re: Iptable forwarding code needed

Two ways:

1) watch the counters. you should see the packet/byte values for the appropriate rules increase.

2) tcpdump. Tie one to each interface that the packets are traversing, and watch as they come in one, and out the other with a different address.
One long-haired git at your service...
Fred Ruffet
Honored Contributor

Re: Iptable forwarding code needed

I'll add three other points to Stuart's :

. Why not temporarly add logging to forwarding rules ? You could then see what's happening.
. Why not try the applications that are acessing this ports and see if they are running ?
. Use telnet on specified ports.

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
Steven E. Protter
Exalted Contributor

Re: Iptable forwarding code needed

Watch the counters?

How? Which ones?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven E. Protter
Exalted Contributor

Re: Iptable forwarding code needed

09:40:09.738866 shell2.speakeasy.net.56236 > jerusalem.investmenttool.com.1723: S 1612265629:1612265629(0) win 5840 (DF)

So, was the packet forwarded?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Huc_1
Honored Contributor

Re: Iptable forwarding code needed

SEP to watch network tratic i use iptraf from root if you do not have this use
# tcpdump eth0

then try connection to the "forward port" from a system on the Internet to your ip using

#telnet 'ip_address' 'port_number'

this should feed your "iptraf or tcpdump" and should also log into /etc/var/*

I hope this helps your or else I am not getting the whole picture...


Jean-Pierre
Smile I will feel the difference
Steven E. Protter
Exalted Contributor

Re: Iptable forwarding code needed

I'm going to run a tcpdump with a full vpn test.

Its now obvious to me that some port that Microsoft needs to authenticate with is being blocked by the firewall.

I say this because on the internal network the VPN connects without error.

So guy's we missed something. I am willing to prove this by forwarding ALL traffic to the Microsoft server.

It would still be useful if someone who actually did a Linux firewall forward to a Windows 2003 VPN server chimed in. We're gonna get this bear.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Huc_1
Honored Contributor

Re: Iptable forwarding code needed

Sorry SEP
Had not read/seen your last message.

I think this means the package has been forwarded but perhaps it is rejected by W-2003

perhaps you could get ethereal for the W-2003 and see what it see ?

Jean-Pierre
Smile I will feel the difference
Steven E. Protter
Exalted Contributor

Re: Iptable forwarding code needed

Great idea Huc.

Thats why you got the rabbit.

Going to do that. That should prove definitively where the problem is. Gotta know where the issue is before you can fix it.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven E. Protter
Exalted Contributor

Re: Iptable forwarding code needed

Fred,

Though there is no way you could know that, full logging is enabled.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Steven E. Protter
Exalted Contributor

Re: Iptable forwarding code needed

Need some interpretation on this tcpdump data

18:02:27.768993 dialup-4.158.9.218.Dial1.Chicago1.Level3.net.1584 > 192.168.0.48.47: S 1331588746:1331588746(0) win 8760 (DF)
18:02:29.862213 arp who-has 192.168.0.48 tell 192.168.0.41
18:02:29.862416 arp reply 192.168.0.48 is-at 0:10:83:34:c6:70
18:02:33.784426 dialup-4.158.9.218.Dial1.Chicago1.Level3.net.1584 > 192.168.0.48.47: S 1331588746:1331588746(0) win 8760 (DF)
18:02:49.455061 dialup-4.158.9.218.Dial1.Chicago1.Level3.net.1585 > 192.168.0.48.47: S 1337267886:1337267886(0) win 8760 (DF)
18:02:52.379087 dialup-4.158.9.218.Dial1.Chicago1.Level3.net.1585 > 192.168.0.48.47: S 1337267886:1337267886(0) win 8760 (DF)
18:02:58.393377 dialup-4.158.9.218.Dial1.Chicago1.Level3.net.1585 > 192.168.0.48.47: S 1337267886:1337267886(0) win 8760 (DF)


Info:
192.168.0.48 is the NIC of the Windows 2003 server. This output is off of eth1, which is the internal NIC on the firewall.

Questions:
Does this data indicate packet forwarding?

Does this data indicate the W2K3 server is answering(i think no)?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Stuart Browne
Honored Contributor

Re: Iptable forwarding code needed

Yes, it means the packets are being forwarded to the W2K3 host on port 47.

It also appears as if the W2K3 host isn't responding for some reason.

Do you have a firewall on the W2K3 server which is saying not to respond to things not from your LAN?

The other possibility (of which I've encountered before) is that the W2K3 server doesn't know how to route back to 'dialup-4.158.9.218.Dial1.Chicago1.Level3.net'.
One long-haired git at your service...
Steven E. Protter
Exalted Contributor

Re: Iptable forwarding code needed

Stuart,

Since the W2K3 box is not responding to pings, I have a problem there. Very crucial whats going on but I think I may be able to dink with it.

I'm not confident the firewall is disabled, but I think I can nail it down with my thread in the Windows side.

Hmmm. Looks like another bunny for Stuart.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Fred Ruffet
Honored Contributor

Re: Iptable forwarding code needed

W2K3 not responding to ping :
. One firewall stops ICMP... as long has you know your iptables, it may be that W2K3 firewall running.
. Your Win server does not resolve IP for the pinging machine.

Maybe a thing would be to use nmap from firewall to W2K3 server...

Regards,

Fred
--

"Reality is just a point of view." (P. K. D.)
Steven E. Protter
Exalted Contributor

Re: Iptable forwarding code needed

Fred,

Please elaborate on your suggestion.

I have disabled the Windows firewall and the box responds to pings.

It just doesn't respond to VPN packets.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com