[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

desperate! can't get port forwarding to work on debian testing 2.6.15



I've just set up a new machine running debian testing with a 2.6.15
kernel and I'm having some real trouble getting port forwarding to
work..  I've got two NIC's and I'm using the following simple firewall
script:

EXTIF="external"             #used ifrename to rename interface (see
below for details)
INTIF="internal"
EXTIP="216.125.24.45"
PORTFWIP="192.168.1.120"
IPTABLES=/sbin/iptables

echo "   Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 8090 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 8090 -m state 
--state NEW,ESTABLISHED,RELATED -j DNAT --to $PORTFWIP:8090

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
----------------------------------------------------------------------------------------------------

I've been trying to telnet from an external machine to
216.125.24.45:8090, in hopes that it'll be forwarded to
192.168.1.120:8090, but no matter what I do, I can't get the
forwarding to work.  If I run tcpdump on the gateway machine
(216.125.24.45) by using:

sudo tcpdump -i internal tcp port 8090 and src or dst net 192.168.1.120 -vv

And then try to telnet to port 8090 from another machine on the
internet, I get the following:

00:29:14.353035 IP (tos 0x0, ttl  54, id 18514, offset 0, flags [DF],
proto: TCP (6), length: 60) wilshire.dreamhost.com.55787 >
192.168.1.120.8090: S, cksum 0x1463 (correct),
2921922032:2921922032(0) win 65535 <mss 1400,nop,wscale
0,nop,nop,timestamp 1065216778 0>
00:29:17.130277 IP (tos 0x0, ttl  54, id 18517, offset 0, flags [DF],
proto: TCP (6), length: 60) wilshire.dreamhost.com.55787 >
192.168.1.120.8090: S, cksum 0x145e (correct),
2921922032:2921922032(0) win 65535 <mss 1400,nop,wscale
0,nop,nop,timestamp 1065216783 0>
00:29:20.141817 IP (tos 0x0, ttl  54, id 18520, offset 0, flags [DF],
proto: TCP (6), length: 60) wilshire.dreamhost.com.55787 >
192.168.1.120.8090: S, cksum 0x1458 (correct),
2921922032:2921922032(0) win 65535 <mss 1400,nop,wscale
0,nop,nop,timestamp 1065216789 0>
00:29:23.140816 IP (tos 0x0, ttl  54, id 18523, offset 0, flags [DF],
proto: TCP (6), length: 44) wilshire.dreamhost.com.55787 >
192.168.1.120.8090: S, cksum 0x8c09 (correct),
2921922032:2921922032(0) win 65535 <mss 1400>
00:29:26.136867 IP (tos 0x0, ttl  54, id 18525, offset 0, flags [DF],
proto: TCP (6), length: 44) wilshire.dreamhost.com.55787 >
192.168.1.120.8090: S, cksum 0x8c09 (correct),
2921922032:2921922032(0) win 65535 <mss 1400>

and then in /var/log/kern.log, I see the following:

Apr 12 23:38:53 asterisk kernel: IN=external OUT=internal
SRC=205.196.222.10 DST=192.168.1.120 LEN=44 TOS=0x00 PREC=0x00 TTL=54
ID=14381 DF PROTO=TCP SPT=55698 DPT=8090 WINDOW=65535 RES=0x00 SYN
URGP=0

if I then run tcpdump on the internal machine (192.168.1.120) by using:

sudo tcpdump  -vv -i em0 port 8090  (FreeBSD box)

I get:

00:32:30.014144 IP (tos 0x0, ttl  47, id 19712, offset 0, flags [DF],
proto: TCP (6), length: 60) wilshire.dreamhost.com.47191 >
192.168.1.120.8090: S, cksum 0xb12b (correct),
4194765628:4194765628(0) win 5840 <mss 1400,sackOK,timestamp 21967827
0,nop,wscale 0>

so it looks like packets are actually being forwarded from the
external machine (216.125.24.45) to the internal machine
(192.168.1.120), but unfortunately, I can't make a connection, my
telnet client just sits there.  I've tried forwarding many different
services, such as http, ssh, etc, but the same thing happens (at the
moment, I'm just using a simple ruby tcp server on port 8090 which
responds with the current date/time).  So as far as I can tell, I'm
doing everything right, I've got all the proper modules loaded, but
for some reason, forwarding just refuses to work properly.  Also, if I
try to telnet from the gateway machine directly to 192.168.1.120:8090,
it works perfectly..

I've used this exact same set up on a few other boxes in the past and
I've had no problems.. The only thing I can think of which may be
responsible for this problem is that I'm using ifrename to map my
network cards to different names, such as "internal" and "external"
instead of eth0 and eth1 (I had to map names to mac-addresses for the
cards, because they were randomly being assigned to different ethernet
interfaces upon each boot, ie sometimes my dlink card would be eth0,
other times it would be eth1).

I'd really like to get this to work, since I have a bunch of SIP
phones behind my firewall, and I'd like to be able to port forward to
them so I can receive calls.  If anyone has any suggestions or advice,
please let me know - I'm starting to pull my hair out on this one! 
Thanks in advance

Mike

included below is the output from "iptables -t nat -n -L"

----------------------------------------------------------------
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0            216.125.24.45        tcp
dpt:8090 state NEW,RELATED,ESTABLISHED to:192.168.1.120:8090

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

----------------------------------------------------------------

and iptables -n -L shows:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp
dpt:8090 state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state
RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags
0 level 4

Chain OUTPUT (policy ACCEPT)
target     prot opt source

----------------------------------------------------------------


and sockstat -4 (bsd command) shows:

mike     ruby       41105 3  tcp4   192.168.1.120:8090    *:*



Reply to: