desperate! can't get port forwarding to work on debian testing 2.6.15
I've just set up a new machine running debian testing with a 2.6.15
kernel and I'm having some real trouble getting port forwarding to
work.. I've got two NIC's and I'm using the following simple firewall
script:
EXTIF="external" #used ifrename to rename interface (see
below for details)
INTIF="internal"
EXTIP="216.125.24.45"
PORTFWIP="192.168.1.120"
IPTABLES=/sbin/iptables
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 8090 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 8090 -m state
--state NEW,ESTABLISHED,RELATED -j DNAT --to $PORTFWIP:8090
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
----------------------------------------------------------------------------------------------------
I've been trying to telnet from an external machine to
216.125.24.45:8090, in hopes that it'll be forwarded to
192.168.1.120:8090, but no matter what I do, I can't get the
forwarding to work. If I run tcpdump on the gateway machine
(216.125.24.45) by using:
sudo tcpdump -i internal tcp port 8090 and src or dst net 192.168.1.120 -vv
And then try to telnet to port 8090 from another machine on the
internet, I get the following:
00:29:14.353035 IP (tos 0x0, ttl 54, id 18514, offset 0, flags [DF],
proto: TCP (6), length: 60) wilshire.dreamhost.com.55787 >
192.168.1.120.8090: S, cksum 0x1463 (correct),
2921922032:2921922032(0) win 65535 <mss 1400,nop,wscale
0,nop,nop,timestamp 1065216778 0>
00:29:17.130277 IP (tos 0x0, ttl 54, id 18517, offset 0, flags [DF],
proto: TCP (6), length: 60) wilshire.dreamhost.com.55787 >
192.168.1.120.8090: S, cksum 0x145e (correct),
2921922032:2921922032(0) win 65535 <mss 1400,nop,wscale
0,nop,nop,timestamp 1065216783 0>
00:29:20.141817 IP (tos 0x0, ttl 54, id 18520, offset 0, flags [DF],
proto: TCP (6), length: 60) wilshire.dreamhost.com.55787 >
192.168.1.120.8090: S, cksum 0x1458 (correct),
2921922032:2921922032(0) win 65535 <mss 1400,nop,wscale
0,nop,nop,timestamp 1065216789 0>
00:29:23.140816 IP (tos 0x0, ttl 54, id 18523, offset 0, flags [DF],
proto: TCP (6), length: 44) wilshire.dreamhost.com.55787 >
192.168.1.120.8090: S, cksum 0x8c09 (correct),
2921922032:2921922032(0) win 65535 <mss 1400>
00:29:26.136867 IP (tos 0x0, ttl 54, id 18525, offset 0, flags [DF],
proto: TCP (6), length: 44) wilshire.dreamhost.com.55787 >
192.168.1.120.8090: S, cksum 0x8c09 (correct),
2921922032:2921922032(0) win 65535 <mss 1400>
and then in /var/log/kern.log, I see the following:
Apr 12 23:38:53 asterisk kernel: IN=external OUT=internal
SRC=205.196.222.10 DST=192.168.1.120 LEN=44 TOS=0x00 PREC=0x00 TTL=54
ID=14381 DF PROTO=TCP SPT=55698 DPT=8090 WINDOW=65535 RES=0x00 SYN
URGP=0
if I then run tcpdump on the internal machine (192.168.1.120) by using:
sudo tcpdump -vv -i em0 port 8090 (FreeBSD box)
I get:
00:32:30.014144 IP (tos 0x0, ttl 47, id 19712, offset 0, flags [DF],
proto: TCP (6), length: 60) wilshire.dreamhost.com.47191 >
192.168.1.120.8090: S, cksum 0xb12b (correct),
4194765628:4194765628(0) win 5840 <mss 1400,sackOK,timestamp 21967827
0,nop,wscale 0>
so it looks like packets are actually being forwarded from the
external machine (216.125.24.45) to the internal machine
(192.168.1.120), but unfortunately, I can't make a connection, my
telnet client just sits there. I've tried forwarding many different
services, such as http, ssh, etc, but the same thing happens (at the
moment, I'm just using a simple ruby tcp server on port 8090 which
responds with the current date/time). So as far as I can tell, I'm
doing everything right, I've got all the proper modules loaded, but
for some reason, forwarding just refuses to work properly. Also, if I
try to telnet from the gateway machine directly to 192.168.1.120:8090,
it works perfectly..
I've used this exact same set up on a few other boxes in the past and
I've had no problems.. The only thing I can think of which may be
responsible for this problem is that I'm using ifrename to map my
network cards to different names, such as "internal" and "external"
instead of eth0 and eth1 (I had to map names to mac-addresses for the
cards, because they were randomly being assigned to different ethernet
interfaces upon each boot, ie sometimes my dlink card would be eth0,
other times it would be eth1).
I'd really like to get this to work, since I have a bunch of SIP
phones behind my firewall, and I'd like to be able to port forward to
them so I can receive calls. If anyone has any suggestions or advice,
please let me know - I'm starting to pull my hair out on this one!
Thanks in advance
Mike
included below is the output from "iptables -t nat -n -L"
----------------------------------------------------------------
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 216.125.24.45 tcp
dpt:8090 state NEW,RELATED,ESTABLISHED to:192.168.1.120:8090
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
----------------------------------------------------------------
and iptables -n -L shows:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
dpt:8090 state NEW,RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags
0 level 4
Chain OUTPUT (policy ACCEPT)
target prot opt source
----------------------------------------------------------------
and sockstat -4 (bsd command) shows:
mike ruby 41105 3 tcp4 192.168.1.120:8090 *:*
Reply to: