[ale] port forwarding for iptables.

JK jknapka at kneuro.net
Tue Jun 9 19:16:03 EDT 2009 

Atlanta Geek wrote:
> I did the tcpdumps.  Traffic is coming in.  However traffic is not going out.
> 
> I turned of my firewall and disabled the external interface to simplify things.
> 
> Im also redirecting traffic to the telnet port on that machine because
> I am 100% sure that interface is active.
> 
> 
> Here is my iptables now


I'm gonna annotate this for my own benefit:


> ---------
> # Generated by iptables-save v1.3.5 on Wed Jun 10 02:40:52 2009
> *filter
> :INPUT ACCEPT [604:70323]


Accept everything terminating at this machine.  OK, but shouldn't be
relevant.


> :FORWARD ACCEPT [0:0]


Accept everything passing through this machine.  Should be OK.


> :OUTPUT ACCEPT [1190:209769]


Accept everything originating at this machine. No problem, not
relevant though.


> -A FORWARD -d 10.0.1.213 -p tcp  --dport 23 -j LOG --log-prefix "TCP FORWARD:"

Seeing any of these in the log?

> -A FORWARD -d 10.0.1.213 -p tcp  --dport 23 -j ACCEPT


Anything going through me to .213:23 is accepted. Looks good. Shouldn't
be needed because the policy is FORWARD:ACCEPT anyway, but I get that
that won't normally be the case.


> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT


I don't think you need this. Unsure whether it's gonna hose things up.


> COMMIT
> # Completed on Wed Jun 10 02:40:52 2009
> # Generated by iptables-save v1.3.5 on Wed Jun 10 02:40:52 2009
> *nat
> :PREROUTING ACCEPT [11:2095]

Nothing to see here...

> :POSTROUTING ACCEPT [30:1800]

Move along...

> :OUTPUT ACCEPT [30:1800]

These still aren't the droids you're looking for...

> -A PREROUTING -d 10.0.0.39 -p tcp  --dport 1013 -j LOG --log-prefix
> "TCP PREROUTING:"

Seeing any of these in the log?

> -A PREROUTING -d 10.0.0.39 -p tcp  --dport 1013 -j DNAT
> --to-destination 10.0.1.213:23

So anything coming to me at port 1013 should get re-written to go to
.213:23.  This should cause the rewritten packet to land in the FORWARD
chain and be accepted as noted above.


> COMMIT
> # Completed on Wed Jun 10 02:40:52 2009
> ---------------------


Hmm, at first glance it all looks OK.  What's getting logged?
Just for grins might try killing off the -state rule.

Another idea, if you can really clamp down on the network traffic
and eliminate any that might confuse the issue, might be to just
tcpdump EVERYTHING going in and out of the firewall box and see
if that brings any clues to the surface.

-- JK

More information about the Ale mailing list