Re: desperate! can't get port forwarding to work on debian testing 2.6.15
On 4/13/06, Pascal Hambourg <pascal.mail@plouf.fr.eu.org> wrote:
> > I've just set up a new machine running debian testing with a 2.6.15
> > kernel and I'm having some real trouble getting port forwarding to
> > work.. I've got two NIC's and I'm using the following simple firewall
> > script:
<snip>
> You can remove the 'state' match : nat chains don't see ESTABLISHED nor
> RELATED packets.
>
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> > $IPTABLES -A FORWARD -j LOG
> >
> > echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
> If $EXTIF has a fixed address, you can use "SNAT --to $EXTIP" instead of
> MASQUERADE, it will take a little less CPU resources.
Hi Pascal, thanks for taking the time to reply to my message. The
reason I've got the ESTABLISHED and RELATED states is because I took
the firewall script from here:
<http://tldp.org/HOWTO/IP-Masquerade-HOWTO/forwarders.html#PORTFW-VIA-IPTABLES-PREROUTING>
and it uses those states.
> > I've been trying to telnet from an external machine to
> > 216.125.24.45:8090, in hopes that it'll be forwarded to
> > 192.168.1.120:8090, but no matter what I do, I can't get the
> > forwarding to work. If I run tcpdump on the gateway machine
> > (216.125.24.45) by using:
> >
> > sudo tcpdump -i internal tcp port 8090 and src or dst net 192.168.1.120 -vv
> >
> > And then try to telnet to port 8090 from another machine on the
> > internet, I get the following:
> >
> > 00:29:14.353035 IP (tos 0x0, ttl 54, id 18514, offset 0, flags [DF],
> > proto: TCP (6), length: 60) wilshire.dreamhost.com.55787 >
> > 192.168.1.120.8090: S, cksum 0x1463 (correct),
> > 2921922032:2921922032(0) win 65535 <mss 1400,nop,wscale
> > 0,nop,nop,timestamp 1065216778 0>
> [and so on]
>
> SYN packets come out from the internal interface with the correct
> destination address, so your port forwarding (DNAT and FORWARD) works.
>
> > and then in /var/log/kern.log, I see the following:
> >
> > Apr 12 23:38:53 asterisk kernel: IN=external OUT=internal
> > SRC=205.196.222.10 DST=192.168.1.120 LEN=44 TOS=0x00 PREC=0x00 TTL=54
> > ID=14381 DF PROTO=TCP SPT=55698 DPT=8090 WINDOW=65535 RES=0x00 SYN
> > URGP=0
>
> In a way, it's consistent with the iptables ruleset and the tcpdump
> output, as the destination address is correct. But the presence in the
> kernel log means that the packet was not accepted by the first FORWARD
> rule, and that's not consistent. The times of the tcpdump output and
> kernel log don't match, maybe it was a previous attempt with a different
> ruleset ?
yes, sorry about that, the lines in kern.log were from an earlier
ruleset, I don't see anything in kern.log after changing the ruleset.
Before I go any further, I'll provide some more details on my exact setup:
I've got two machines, a linux box called "asterisk", running debian
testing, and another machine called "dev". Both have two NIC's in
them.
asterisk has the following configuration:
[11:08AM][mike@asterisk]% /sbin/ifconfig
external Link encap:Ethernet HWaddr 00:48:54:8B:CB:A2
inet addr: 216.125.24.45 Bcast:216.58.87.255 Mask:255.255.248.0
inet6 addr: fe80::248:54ff:fe8b:cba2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2974 errors:0 dropped:0 overruns:0 frame:0
TX packets:1769 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3639188 (3.4 MiB) TX bytes:134708 (131.5 KiB)
Interrupt:209 Base address:0xd400
internal Link encap:Ethernet HWaddr 00:11:2F:38:52:8D
inet addr:192.168.1.121 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::211:2fff:fe38:528d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27335 errors:0 dropped:0 overruns:0 frame:0
TX packets:29897 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2394121 (2.2 MiB) TX bytes:36524587 (34.8 MiB)
Interrupt:209
and the routing table is as follows:
[11:14AM][adam@asterisk]% netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 * 255.255.255.0 U 0 0
0 internal
216.125.24.0 * 255.255.248.0 U 0 0
0 external
default 216.125.24.33 0.0.0.0 UG 0 0
0 external
dev is a freebsd machine and has the following config:
[11:04AM][mike@dev]% ifconfig
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
options=b<RXCSUM,TXCSUM,VLAN_MTU>
inet6 fe80::215:f2ff:fe04:9bd0%em0 prefixlen 64 scopeid 0x1
inet 192.168.1.120 netmask 0xffffff00 broadcast 192.168.1.255
ether 00:15:f2:04:9b:d0
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::20d:88ff:fe4e:1f09%vr0 prefixlen 64 scopeid 0x2
inet 216.125.24.46 netmask 0xfffffff8 broadcast 216.58.85.39
ether 00:0d:88:4e:1f:09
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
and the routing table is as follows:
[11:21AM][mike@dev]% netstat -r -n -f inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 216.125.24.33 UGS 0 272 vr0
127.0.0.1 127.0.0.1 UH 0 62199 lo0
192.168.1 link#1 UC 0 0 em0
192.168.1.120 00:15:f2:04:9b:d0 UHLW 1 36 lo0
192.168.1.121 00:11:2f:38:52:8d UHLW 1 17540 em0
192.168.1.255 ff:ff:ff:ff:ff:ff UHLWb 1 3294 em0
216.125.24.46 00:0d:88:4e:1f:09 UHLW 1 13 lo0
I've set up the firewall rules on dev as follows (of course this rule
is only used for testing, in reality my ruleset is much stronger):
[11:22AM][mike@dev]% sudo ipfw -t show
00050 75698 40356918 Thu Apr 13 11:25:00 2006 allow ip from any to any
65535 0 0 deny ip from any to any
now, both dev and asterisk machines have their internal NIC connected
to the same switch.
> > if I then run tcpdump on the internal machine (192.168.1.120) by using:
> >
> > sudo tcpdump -vv -i em0 port 8090 (FreeBSD box)
>
> Too bad you monitored only TCP/8090 traffic. ICMP traffic, with signals
> errors, would have been interesting too.
okay, I've now tried using the following tcpdump command on the dev
box (where 192.168.1.105 is the machine I'm ssh'ing from, so as not to
have the ssh session interfere with my logging):
[11:38AM][mike@dev]% sudo tcpdump -vv -i em0 -s 1500 not net
192.168.1.105 and not stp and not igmp and not port netbios-ssn and
not udp
tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 1500 bytes
11:38:23.505221 IP (tos 0x0, ttl 44, id 4414, offset 0, flags [DF],
proto: TCP (6), length: 60) wilshire.dreamhost.com.41315 >
192.168.1.120.8090: S, cksum 0xf1af (correct), 564074531:564074531(0)
win 5840 <mss 1400,sackOK,timestamp 25941384 0,nop,wscale 0>
11:38:26.499372 IP (tos 0x0, ttl 44, id 53366, offset 0, flags [DF],
proto: TCP (6), length: 60) wilshire.dreamhost.com.41315 >
192.168.1.120.8090: S, cksum 0xf083 (correct), 564074531:564074531(0)
win 5840 <mss 1400,sackOK,timestamp 25941684 0,nop,wscale 0>
11:38:31.497784 arp who-has 192.168.1.120 tell 192.168.1.121
11:38:31.497817 arp reply 192.168.1.120 is-at 00:15:f2:04:9b:d0 (oui Unknown)
11:38:32.499163 IP (tos 0x0, ttl 44, id 30699, offset 0, flags [DF],
proto: TCP (6), length: 60) wilshire.dreamhost.com.41315 >
192.168.1.120.8090: S, cksum 0xee2b (correct), 564074531:564074531(0)
win 5840 <mss 1400,sackOK,timestamp 25942284 0,nop,wscale 0>
11:38:44.527735 IP (tos 0x0, ttl 44, id 62502, offset 0, flags [DF],
proto: TCP (6), length: 60) wilshire.dreamhost.com.41315 >
192.168.1.120.8090: S, cksum 0xe97b (correct), 564074531:564074531(0)
win 5840 <mss 1400,sackOK,timestamp 25943484 0,nop,wscale 0>
the output is essentially the same, other than the inclusion of the
arp request and reply. You mentioned ICMP traffic with signals errors
- did you want me to ping from an internal machine to the freebsd
(dev) box, or should I be getting ICMP traffic when telnetting from an
external machine, like I've been doing for testing?
And for completeness, here is the output from tcpdump on the linux box
(asterisk - the one doing the port forwarding):
[11:38AM][mike@asterisk]% sudo tcpdump -i internal src or dst net
192.168.1.120 -vv
tcpdump: listening on internal, link-type EN10MB (Ethernet), capture
size 96 bytes
11:38:23.739661 IP (tos 0x0, ttl 44, id 4414, offset 0, flags [DF],
proto: TCP (6), length: 60) wilshire.dreamhost.com.41315 >
192.168.1.120.8090: S, cksum 0xf1af (correct), 564074531:564074531(0)
win 5840 <mss 1400,sackOK,timestamp 25941384 0,nop,wscale 0>
11:38:26.734202 IP (tos 0x0, ttl 44, id 53366, offset 0, flags [DF],
proto: TCP (6), length: 60) wilshire.dreamhost.com.41315 >
192.168.1.120.8090: S, cksum 0xf083 (correct), 564074531:564074531(0)
win 5840 <mss 1400,sackOK,timestamp 25941684 0,nop,wscale 0>
11:38:31.732835 arp who-has 192.168.1.120 tell 192.168.1.121
11:38:31.733025 arp reply 192.168.1.120 is-at 00:15:f2:04:9b:d0 (oui Unknown)
11:38:32.733961 IP (tos 0x0, ttl 44, id 30699, offset 0, flags [DF],
proto: TCP (6), length: 60) wilshire.dreamhost.com.41315 >
192.168.1.120.8090: S, cksum 0xee2b (correct), 564074531:564074531(0)
win 5840 <mss 1400,sackOK,timestamp 25942284 0,nop,wscale 0>
11:38:44.762937 IP (tos 0x0, ttl 44, id 62502, offset 0, flags [DF],
proto: TCP (6), length: 60) wilshire.dreamhost.com.41315 >
192.168.1.120.8090: S, cksum 0xe97b (correct), 564074531:564074531(0)
win 5840 <mss 1400,sackOK,timestamp 25943484 0,nop,wscale 0>
> > Also, if I
> > try to telnet from the gateway machine directly to 192.168.1.120:8090,
> > it works perfectly..
>
> Maybe your BSD box has no default route to the NAT gateway, or it has a
> firewall filtering out packets originated from outside the internal network.
as can be seen from the BSD routing table for dev, the firewall is set
to allow everything, and it does have a default route to the NAT
gateway (192.168.1.121 00:11:2f:38:52:8d UHLW 1 17540
em0). I've also tried forwarding ports to a few other machines on
the internal network (and the SIP phones), and I can't get to any of
them either.
> > included below is the output from "iptables -t nat -n -L"
>
> Without the "-v" option, it won't show the input and/or output
> interfaces. IMHO the ouput of 'iptables-save' is easier to read.
I've updated my firewall ruleset with the information you provided and
here is the output of iptables-save:
[11:32AM][mike@asterisk]% sudo iptables-save
# Generated by iptables-save v1.3.3 on Thu Apr 13 11:32:38 2006
*mangle
:PREROUTING ACCEPT [124:8948]
:INPUT ACCEPT [30363:5582373]
:FORWARD ACCEPT [80:4800]
:OUTPUT ACCEPT [64:10496]
:POSTROUTING ACCEPT [32005:36238588]
COMMIT
# Completed on Thu Apr 13 11:32:38 2006
# Generated by iptables-save v1.3.3 on Thu Apr 13 11:32:38 2006
*nat
:PREROUTING ACCEPT [10:1090]
:POSTROUTING ACCEPT [3:180]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -d 216.58.85.36 -p tcp -m tcp --dport 8090 -m state
--state NEW -j DNAT --to-destination 192.168.1.120:8090
-A POSTROUTING -o external -j SNAT --to-source 216.58.85.36
COMMIT
# Completed on Thu Apr 13 11:32:38 2006
# Generated by iptables-save v1.3.3 on Thu Apr 13 11:32:38 2006
*filter
:INPUT ACCEPT [111:8044]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [66:10760]
-A FORWARD -d 192.168.1.120 -i external -o internal -p tcp -m tcp
--dport 8090 -m state --state NEW -j ACCEPT
-A FORWARD -i external -o internal -m state --state
RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i internal -o external -j ACCEPT
-A FORWARD -j LOG
COMMIT
# Completed on Thu Apr 13 11:32:38 2006
> > and iptables -n -L shows:
> >
> > Chain INPUT (policy ACCEPT)
> > target prot opt source destination
> >
> > Chain FORWARD (policy ACCEPT)
>
> Ahem... Default policy ACCEPT ? So what's the use of all those rules ?
yeah, the default policy is ACCEPT for while I test - I'll change it
to DENY once I get everything working.
Thanks again for your help,
Mike
Reply to: