Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Port Forwarding

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
jen140
Posts: 15
Joined: 2009-10-03 20:46

Port Forwarding

#1 Post by jen140 »

Hello all.
I want to forward all the connections i get throught eth0 to get passed to interface eth1, ip 192.168.0.200 on port 21.
I already tryied most rules i'we found with google but they simply doesnt work.
My boot network script:
#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/user/bin
#dhclient eth0
ifconfig eth1 192.168.0.1
ifconfig eth1 up
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
######

User avatar
aspnair
Posts: 1247
Joined: 2009-06-18 12:27
Location: Twitter: @anand_sivaram

Re: Port Forwarding

#2 Post by aspnair »

Did you try adding routes with "route" command?
Compressed Air Energy Storage, Entropy and Efficiency
http://saurorja.org/2012/06/18/compress ... fficiency/

jen140
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

#3 Post by jen140 »

No, will try to read the man and see if i can make them, would be glad of any examples, because google only shows how to set gateway with it.
Edit:
Cant find any neden information for route command.
And i've also tryied addiing the next rule:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 21 -j DNAT --to-destination 192.168.0.200:21
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
And tryied to connect through lan (eth1) , localhost (lo) and tryied scanning with nmap remotely.
And nmap shows 21 is filtered, but not open.
But one thing, do i need to restart the machine/iptables to changes take effect ? Because i always tryied to only add the rule and check if it is working.

jen140
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

#4 Post by jen140 »

So, is there any network administrators who knows a bit about iptables ? :\

User avatar
aspnair
Posts: 1247
Joined: 2009-06-18 12:27
Location: Twitter: @anand_sivaram

Re: Port Forwarding

#5 Post by aspnair »

What is your network configuration. I think that one side is your private network and another side
is connected to internet. Out of eth0 and eth1 which one is your private network. Also what are the IP addresses of these interfaces? These information would be helpful.
Compressed Air Energy Storage, Entropy and Efficiency
http://saurorja.org/2012/06/18/compress ... fficiency/

jen140
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

#6 Post by jen140 »

Ok, so i have multiple the next interfaces:
eth0 with a dinamic ip, its the interface on witch i have my internet connection.
eth1 with a static ip, is my lan network interface, trhought it i share internet with all the network.
The 192.168.0.200 is also a static ip of the virtual machine(virtualbox) running on the "server".
The are also two other clients 192.168.0.2 and 192.168.0.3.
The router gives the abuility to connect to the server from the clients.
So we have next diagram:
Internet->server(eth0)->server(eth1)->router->clients.
Router cant be the first to connect to the internet because it doesnt have the neden port.

User avatar
aspnair
Posts: 1247
Joined: 2009-06-18 12:27
Location: Twitter: @anand_sivaram

Re: Port Forwarding

#7 Post by aspnair »

From what I understand, you have your clients 192.168.0.2, 192.168.0.3, from where you need to access
the internet through your server.
* When configuring the network of these clients, use 192.168.0.1 (eth1) as the gateway.
* Configure the server's eth0 with a default gateway as the IP address of your isp's gateway.
* You may have to include static route on your server to access 192.168.0.x network
route add -net 192.168.0.0 netmask 255.255.255.0 dev eth1
* most important, enable ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

It looks like you are using 192.168.0.200 on the server as a virtualbox. I never used virtualbox, so I am not sure how to configure its network.
Compressed Air Energy Storage, Entropy and Efficiency
http://saurorja.org/2012/06/18/compress ... fficiency/

jen140
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

#8 Post by jen140 »

You didnt understood =).
I've just described the network as you asked.
I already have internet on all the clients (including virtualbox).
Now i need to get the next:
when some 1 from internet connets to my gateway(server) on port 21 that connection would be redirected to port 21 of the virtualbox,something like :
from ANY interface eth1 to 192.168.0.200 -p 21

User avatar
aspnair
Posts: 1247
Joined: 2009-06-18 12:27
Location: Twitter: @anand_sivaram

Re: Port Forwarding

#9 Post by aspnair »

Could you post the output of the following commands
* ifconfig
* netstat -atpn (as root)
Do these commands from both server and virtual box.

This is what I understood. You are running an ftp server in your virtual box that is hosted on the server and you want to access that from internet.
If this is correct, then I think instead of using iptables to forward port 21, you need to configure
your virtualbox to forward port 21 to the virtual machine.
http://sk.c-wd.net/wp/2008/01/05/virtua ... inux-host/
We could see more after seeing your network interface list and tcp open ports.
Compressed Air Energy Storage, Entropy and Efficiency
http://saurorja.org/2012/06/18/compress ... fficiency/

jen140
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

#10 Post by jen140 »

I can easily access virtualbox's ftp from server and lan, so thats not a problem.
ifconfig output:
server:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:13:f7:cb:9a:0b
inet addr:83.132.160.X Bcast:83.132.160.255 Mask:255.255.255.0
inet6 addr: fe80::213:f7ff:fecb:X/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10989081 errors:0 dropped:0 overruns:0 frame:0
TX packets:6984018 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2770963646 (2.5 GiB) TX bytes:1240490135 (1.1 GiB)
Interrupt:18 Base address:0xb000

eth1 Link encap:Ethernet HWaddr 00:0e:2e:f2:2d:e3
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::20e:2eff:fef2:2de3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2241967 errors:0 dropped:0 overruns:0 frame:0
TX packets:3578572 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:918373564 (875.8 MiB) TX bytes:322909145 (307.9 MiB)
Interrupt:19 Base address:0xb400

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3595 errors:0 dropped:0 overruns:0 frame:0
TX packets:3595 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:182518 (178.2 KiB) TX bytes:182518 (178.2 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.10.0.1 P-t-P:10.10.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:55766 errors:0 dropped:0 overruns:0 frame:0
TX packets:86030 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:2901209 (2.7 MiB) TX bytes:81711908 (77.9 MiB)

server:~#
server:~# netstat -atpn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:617 0.0.0.0:* LISTEN 2985/famd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 2479/mysqld
tcp 0 0 10.10.0.1:5900 0.0.0.0:* LISTEN 22400/x11vnc
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2044/portmap
tcp 0 0 10.10.0.1:8080 0.0.0.0:* LISTEN 2975/ziproxy
tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 2551/epmd
tcp 0 0 10.10.0.1:53 0.0.0.0:* LISTEN 2358/named
tcp 0 0 192.168.0.1:53 0.0.0.0:* LISTEN 2358/named
tcp 0 0 83.132.160.101:53 0.0.0.0:* LISTEN 2358/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2358/named
tcp 0 0 10.10.0.1:22 0.0.0.0:* LISTEN 2397/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2905/exim4
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2358/named
tcp 0 0 0.0.0.0:55515 0.0.0.0:* LISTEN 2055/rpc.statd
tcp6 0 0 :::53 :::* LISTEN 2358/named
tcp6 0 0 ::1:953 :::* LISTEN 2358/named
And the virtualbox forwarding didnt worked, neither with root nor with normal account.

jen140
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

#11 Post by jen140 »

Mirror of the post on ubuntu forum : http://ubuntuforums.org/showthread.php?p=8055314

User avatar
aspnair
Posts: 1247
Joined: 2009-06-18 12:27
Location: Twitter: @anand_sivaram

Re: Port Forwarding

#12 Post by aspnair »

Generally the following should be enough to forward a port from external network to internal.
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i eth0 -p tcp -d 192.168.0.200 --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp -d <external ip address of eth0> --dport 21 -j DNAT --to 192.168.0.200:21

But, overall it looks like you are doing similar to that. To make things simple, why dont you try once to setup an ftp server
on one of your real client pc's instead of virtualbox and see it is working?

You do not need to restart your machine for the changes to take effect.
Before applying any new rules, just clear everything, you could write the following in a script

iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT

iptables -t nat -F
iptables -t nat -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
Compressed Air Energy Storage, Entropy and Efficiency
http://saurorja.org/2012/06/18/compress ... fficiency/

jen140
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

#13 Post by jen140 »

Cleaned all the rules,added the next:
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -p tcp -d 192.168.0.200 --dport 21 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 83.132.160.X --dport 21 -j DNAT --to 192.168.0.200:21
iptables -A FORWARD -i eth0 -p tcp -d 192.168.0.3 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 83.132.160.X --dport 80 -j DNAT --to 192.168.0.3:80
When scanning with nmap online it says it is filtered.
On 192.168.0.3 is iis running, but it wasnt accessible from the internet.

User avatar
aspnair
Posts: 1247
Joined: 2009-06-18 12:27
Location: Twitter: @anand_sivaram

Re: Port Forwarding

#14 Post by aspnair »

Did you enable /proc/sys/net/ipv4/ip_forward?
Are you trying to access your IIS really from outside, or trying to connect to it by using the public IP address of your internet connection eth0 from inside
Are you using any windows firewall on 192.168.0.3
Compressed Air Energy Storage, Entropy and Efficiency
http://saurorja.org/2012/06/18/compress ... fficiency/

jen140
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

#15 Post by jen140 »

Yes, ip forwarding is enabled, and it works (cause i have the internet on all the lan computers).
I've tryied running nmap-online.com and it says its filtered (outside view), and tryied both from inside accessing the internets ip.
And none gets the connection

User avatar
aspnair
Posts: 1247
Joined: 2009-06-18 12:27
Location: Twitter: @anand_sivaram

Re: Port Forwarding

#16 Post by aspnair »

The real way to find it, is trying it from outside. I noticed that using your internet pubic ip address from inside is not that reliable.
Compressed Air Energy Storage, Entropy and Efficiency
http://saurorja.org/2012/06/18/compress ... fficiency/

jen140
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

#17 Post by jen140 »

It was tested from outside usin nmap-online.com service, and its stills says thats its filtered.
THe problem is still not solved, arent there any pro linux admins out here?

User avatar
aspnair
Posts: 1247
Joined: 2009-06-18 12:27
Location: Twitter: @anand_sivaram

Re: Port Forwarding

#18 Post by aspnair »

Are you sure that your ISP is not blocking any port themselves. Many ISP's block ftp/ssh/http etc. ports.
Just to make sure that this is not the case, do the following

* clear all ip tables rules on your server.
* run any of ftp/ssh/http server on your server, not on your private lan machine, no port forwarding etc...
* ask your friend to connect to it.

If you dont want to run any server you could use netcat also. with any port, for example port 5500
nc -l -p 5500

Ask your friend to do
telnet <your public ip> 5500
or
http://<your public ip>:5500

If it is working try to repeat the same for 22(ssh) or 80(http) to make sure that they are working.
If they are not working, there is nothing you could do
Compressed Air Energy Storage, Entropy and Efficiency
http://saurorja.org/2012/06/18/compress ... fficiency/

jen140
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

#19 Post by jen140 »

No, my isp doenst block any ports, and it was tested before installing linux on windows system, and i could easily host any service.
But to be shure, i've used the netcat like next:
netcat -vv -l -p21
And scanned the host with nmap-online.com, and it reports that port is opened.
So the problem hides somewhere in the system.

jen140
Posts: 15
Joined: 2009-10-03 20:46

Re: Port Forwarding

#20 Post by jen140 »

Thanks every one for your time and help.
I've got it solved at http://www.daniweb.com/forums/thread229187.html
The problem was on the side of the virtual machine.

Post Reply