Port Forwarding

If none of the more specific forums is the right place to ask

Port Forwarding

Postby jen140 » 2009-10-03 20:49

Hello all.
I want to forward all the connections i get throught eth0 to get passed to interface eth1, ip 192.168.0.200 on port 21.
I already tryied most rules i'we found with google but they simply doesnt work.
My boot network script:
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/user/bin
#dhclient eth0
ifconfig eth1 192.168.0.1
ifconfig eth1 up
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
######
jen140
 
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

Postby aspnair » 2009-10-04 03:52

Did you try adding routes with "route" command?
Compressed Air Energy Storage, Entropy and Efficiency
http://saurorja.org/2012/06/18/compress ... fficiency/
User avatar
aspnair
 
Posts: 1247
Joined: 2009-06-18 12:27
Location: Twitter: @anand_sivaram

Re: Port Forwarding

Postby jen140 » 2009-10-04 06:38

No, will try to read the man and see if i can make them, would be glad of any examples, because google only shows how to set gateway with it.
Edit:
Cant find any neden information for route command.
And i've also tryied addiing the next rule:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.200:21
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
And tryied to connect through lan (eth1) , localhost (lo) and tryied scanning with nmap remotely.
And nmap shows 21 is filtered, but not open.
But one thing, do i need to restart the machine/iptables to changes take effect ? Because i always tryied to only add the rule and check if it is working.
jen140
 
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

Postby jen140 » 2009-10-04 13:50

So, is there any network administrators who knows a bit about iptables ? :\
jen140
 
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

Postby aspnair » 2009-10-04 14:43

What is your network configuration. I think that one side is your private network and another side
is connected to internet. Out of eth0 and eth1 which one is your private network. Also what are the IP addresses of these interfaces? These information would be helpful.
Compressed Air Energy Storage, Entropy and Efficiency
http://saurorja.org/2012/06/18/compress ... fficiency/
User avatar
aspnair
 
Posts: 1247
Joined: 2009-06-18 12:27
Location: Twitter: @anand_sivaram

Re: Port Forwarding

Postby jen140 » 2009-10-04 15:07

Ok, so i have multiple the next interfaces:
eth0 with a dinamic ip, its the interface on witch i have my internet connection.
eth1 with a static ip, is my lan network interface, trhought it i share internet with all the network.
The 192.168.0.200 is also a static ip of the virtual machine(virtualbox) running on the "server".
The are also two other clients 192.168.0.2 and 192.168.0.3.
The router gives the abuility to connect to the server from the clients.
So we have next diagram:
Internet->server(eth0)->server(eth1)->router->clients.
Router cant be the first to connect to the internet because it doesnt have the neden port.
jen140
 
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

Postby aspnair » 2009-10-04 16:49

From what I understand, you have your clients 192.168.0.2, 192.168.0.3, from where you need to access
the internet through your server.
* When configuring the network of these clients, use 192.168.0.1 (eth1) as the gateway.
* Configure the server's eth0 with a default gateway as the IP address of your isp's gateway.
* You may have to include static route on your server to access 192.168.0.x network
route add -net 192.168.0.0 netmask 255.255.255.0 dev eth1
* most important, enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

It looks like you are using 192.168.0.200 on the server as a virtualbox. I never used virtualbox, so I am not sure how to configure its network.
Compressed Air Energy Storage, Entropy and Efficiency
http://saurorja.org/2012/06/18/compress ... fficiency/
User avatar
aspnair
 
Posts: 1247
Joined: 2009-06-18 12:27
Location: Twitter: @anand_sivaram

Re: Port Forwarding

Postby jen140 » 2009-10-04 20:16

You didnt understood =).
I've just described the network as you asked.
I already have internet on all the clients (including virtualbox).
Now i need to get the next:
when some 1 from internet connets to my gateway(server) on port 21 that connection would be redirected to port 21 of the virtualbox,something like :
from ANY interface eth1 to 192.168.0.200 -p 21
jen140
 
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

Postby aspnair » 2009-10-05 02:41

Could you post the output of the following commands
* ifconfig
* netstat -atpn (as root)
Do these commands from both server and virtual box.

This is what I understood. You are running an ftp server in your virtual box that is hosted on the server and you want to access that from internet.
If this is correct, then I think instead of using iptables to forward port 21, you need to configure
your virtualbox to forward port 21 to the virtual machine.
http://sk.c-wd.net/wp/2008/01/05/virtualbox-port-forwarding-with-linux-host/
We could see more after seeing your network interface list and tcp open ports.
Compressed Air Energy Storage, Entropy and Efficiency
http://saurorja.org/2012/06/18/compress ... fficiency/
User avatar
aspnair
 
Posts: 1247
Joined: 2009-06-18 12:27
Location: Twitter: @anand_sivaram

Re: Port Forwarding

Postby jen140 » 2009-10-05 07:53

I can easily access virtualbox's ftp from server and lan, so thats not a problem.
ifconfig output:
server:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:13:f7:cb:9a:0b
inet addr:83.132.160.X Bcast:83.132.160.255 Mask:255.255.255.0
inet6 addr: fe80::213:f7ff:fecb:X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10989081 errors:0 dropped:0 overruns:0 frame:0
TX packets:6984018 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2770963646 (2.5 GiB) TX bytes:1240490135 (1.1 GiB)
Interrupt:18 Base address:0xb000

eth1 Link encap:Ethernet HWaddr 00:0e:2e:f2:2d:e3
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20e:2eff:fef2:2de3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2241967 errors:0 dropped:0 overruns:0 frame:0
TX packets:3578572 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:918373564 (875.8 MiB) TX bytes:322909145 (307.9 MiB)
Interrupt:19 Base address:0xb400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3595 errors:0 dropped:0 overruns:0 frame:0
TX packets:3595 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:182518 (178.2 KiB) TX bytes:182518 (178.2 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.0.1 P-t-P:10.10.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:55766 errors:0 dropped:0 overruns:0 frame:0
TX packets:86030 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2901209 (2.7 MiB) TX bytes:81711908 (77.9 MiB)

server:~#
server:~# netstat -atpn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:617 0.0.0.0:* LISTEN 2985/famd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2479/mysqld
tcp 0 0 10.10.0.1:5900 0.0.0.0:* LISTEN 22400/x11vnc
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2044/portmap
tcp 0 0 10.10.0.1:8080 0.0.0.0:* LISTEN 2975/ziproxy
tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 2551/epmd
tcp 0 0 10.10.0.1:53 0.0.0.0:* LISTEN 2358/named
tcp 0 0 192.168.0.1:53 0.0.0.0:* LISTEN 2358/named
tcp 0 0 83.132.160.101:53 0.0.0.0:* LISTEN 2358/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2358/named
tcp 0 0 10.10.0.1:22 0.0.0.0:* LISTEN 2397/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2905/exim4
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2358/named
tcp 0 0 0.0.0.0:55515 0.0.0.0:* LISTEN 2055/rpc.statd
tcp6 0 0 :::53 :::* LISTEN 2358/named
tcp6 0 0 ::1:953 :::* LISTEN 2358/named
And the virtualbox forwarding didnt worked, neither with root nor with normal account.
jen140
 
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

Postby jen140 » 2009-10-05 10:06

Mirror of the post on ubuntu forum : http://ubuntuforums.org/showthread.php?p=8055314
jen140
 
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

Postby aspnair » 2009-10-05 11:20

Generally the following should be enough to forward a port from external network to internal.
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i eth0 -p tcp -d 192.168.0.200 --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp -d <external ip address of eth0> --dport 21 -j DNAT --to 192.168.0.200:21

But, overall it looks like you are doing similar to that. To make things simple, why dont you try once to setup an ftp server
on one of your real client pc's instead of virtualbox and see it is working?

You do not need to restart your machine for the changes to take effect.
Before applying any new rules, just clear everything, you could write the following in a script

iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT

iptables -t nat -F
iptables -t nat -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
Compressed Air Energy Storage, Entropy and Efficiency
http://saurorja.org/2012/06/18/compress ... fficiency/
User avatar
aspnair
 
Posts: 1247
Joined: 2009-06-18 12:27
Location: Twitter: @anand_sivaram

Re: Port Forwarding

Postby jen140 » 2009-10-05 11:50

Cleaned all the rules,added the next:
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -p tcp -d 192.168.0.200 --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 83.132.160.X --dport 21 -j DNAT --to 192.168.0.200:21
iptables -A FORWARD -i eth0 -p tcp -d 192.168.0.3 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 83.132.160.X --dport 80 -j DNAT --to 192.168.0.3:80
When scanning with nmap online it says it is filtered.
On 192.168.0.3 is iis running, but it wasnt accessible from the internet.
jen140
 
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

Postby aspnair » 2009-10-05 13:42

Did you enable /proc/sys/net/ipv4/ip_forward?
Are you trying to access your IIS really from outside, or trying to connect to it by using the public IP address of your internet connection eth0 from inside
Are you using any windows firewall on 192.168.0.3
Compressed Air Energy Storage, Entropy and Efficiency
http://saurorja.org/2012/06/18/compress ... fficiency/
User avatar
aspnair
 
Posts: 1247
Joined: 2009-06-18 12:27
Location: Twitter: @anand_sivaram

Re: Port Forwarding

Postby jen140 » 2009-10-05 14:26

Yes, ip forwarding is enabled, and it works (cause i have the internet on all the lan computers).
I've tryied running nmap-online.com and it says its filtered (outside view), and tryied both from inside accessing the internets ip.
And none gets the connection
jen140
 
Posts: 15
Joined: 2009-10-03 20:46

Next

Return to General Questions

Who is online

Users browsing this forum: No registered users and 5 guests

fashionable