Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Debian 10.1, iptables and DNAT not working
Debian 10.1, iptables and DNAT not working
Hello folks.
I'm trying to build a firewall using Debian 10.1. I got several interfaces (many of them VLANS).
Now I'm trying to allow http access from internet to my internal web server. But I'm not able to do this.
This is the rules I have been trying to add using iptables:
iptables -A FORWARD -p tcp -d 192.168.2.22 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.2.22 --sport 80 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 80 -j DNAT --destination 192.168.2.22:80
And here it fails with:
iptables v1.8.2 (fn_tables): unknown option "DNAT"
I have searched internet to try to find a solution, but nothing came up. I got a lot of examples of how to do this, and all are using -j DNAT
What is wrong? Please help...
I'm trying to build a firewall using Debian 10.1. I got several interfaces (many of them VLANS).
Now I'm trying to allow http access from internet to my internal web server. But I'm not able to do this.
This is the rules I have been trying to add using iptables:
iptables -A FORWARD -p tcp -d 192.168.2.22 --dport 80 -j ACCEPT
iptables -A FORWARD -p tcp -s 192.168.2.22 --sport 80 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d 1.2.3.4 --dport 80 -j DNAT --destination 192.168.2.22:80
And here it fails with:
iptables v1.8.2 (fn_tables): unknown option "DNAT"
I have searched internet to try to find a solution, but nothing came up. I got a lot of examples of how to do this, and all are using -j DNAT
What is wrong? Please help...
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: Debian 10.1, iptables and DNAT not working
"--destination" is wrong. The correct option is "--to-destination" or "--to".
PS : the 2nd rule is the wrong way of allowing return packets. Consider using connection tracking instead.
PS : the 2nd rule is the wrong way of allowing return packets. Consider using connection tracking instead.
Re: Debian 10.1, iptables and DNAT not working
What do you mean by using connection tracking? I do not know iptables that much. Just started to work with it.p.H wrote:"--destination" is wrong. The correct option is "--to-destination" or "--to".
PS : the 2nd rule is the wrong way of allowing return packets. Consider using connection tracking instead.
Re: Debian 10.1, iptables and DNAT not working
This is the latest version of my firewall script (fw.sh). Hope it can help solving my problem.
Code: Select all
#!/usr/bin/sh -v
PATH=/usr/sbin
# Define the physical interfaces:
INTERNET=enp4s5
VLAN=enp2s0
LOCAL=enp4s6
# Other definitions.
PUBLICIP=1.2.3.4
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
iptables -X
iptables --delete-chain
iptables --table nat --delete-chain
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
iptables -t nat -A POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables -A FORWARD --in-interface $INTERNET -j ACCEPT
iptables -A FORWARD -i $INTERNET -o $LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNET -o $VLAN.102 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNET -o $VLAN.104 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNET -o $VLAN.105 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNET -o $VLAN.106 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNET -o $VLAN.107 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNET -o $VLAN.108 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNET -o $VLAN.109 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.102 -o $VLAN.104 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.102 -o $VLAN.105 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.102 -o $VLAN.106 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.102 -o $VLAN.107 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.102 -o $VLAN.108 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.102 -o $VLAN.109 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.102 -o $LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.102 -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.104 -o $VLAN.102 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.104 -o $VLAN.105 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.104 -o $VLAN.106 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.104 -o $VLAN.107 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.104 -o $VLAN.108 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.104 -o $VLAN.109 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.104 -o $LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.104 -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.105 -o $VLAN.102 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.105 -o $VLAN.104 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.105 -o $VLAN.106 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.105 -o $VLAN.107 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.105 -o $VLAN.108 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.105 -o $VLAN.109 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.105 -o $LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.105 -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.106 -o $VLAN.102 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.106 -o $VLAN.104 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.106 -o $VLAN.105 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.106 -o $VLAN.107 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.106 -o $VLAN.108 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.106 -o $VLAN.109 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.106 -o $LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.106 -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.107 -o $VLAN.102 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.107 -o $VLAN.104 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.107 -o $VLAN.105 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.107 -o $VLAN.106 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.107 -o $VLAN.108 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.107 -o $VLAN.109 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.107 -o $LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.107 -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.108 -o $VLAN.102 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.108 -o $VLAN.104 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.108 -o $VLAN.105 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.108 -o $VLAN.106 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.108 -o $VLAN.107 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.108 -o $VLAN.109 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.108 -o $LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.108 -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.109 -o $VLAN.102 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.109 -o $VLAN.104 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.109 -o $VLAN.105 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.109 -o $VLAN.106 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.109 -o $VLAN.107 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.109 -o $VLAN.108 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.109 -o $LOCAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $VLAN.109 -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL -o $VLAN.102 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL -o $VLAN.104 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL -o $VLAN.105 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL -o $VLAN.106 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL -o $VLAN.107 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL -o $VLAN.108 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL -o $VLAN.109 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LOCAL -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT
# Incoming HTTP traffic to web server.
iptables -A FORWARD -p tcp -d 192.168.2.22 --dport 80 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp -d $PUBLICIP --dport 80 -j DNAT -–to 192.168.2.22:80
# Here I get the message: iptables v1.8.2 (nt_tables): unknown option "DNAT"
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: Debian 10.1, iptables and DNAT not working
It seems that one of the dashes in "-–to" is not a standard dash.
Connection tracking is this kind of stuff :
Note that iptables is being replaced with nftables, so if you are starting with it maybe you should learn to use nftables instead.
Connection tracking is this kind of stuff :
Code: Select all
iptables -A FORWARD -i $LOCAL -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
Re: Debian 10.1, iptables and DNAT not working
You're right. vi did not show that until I searched for --to. TANKS!p.H wrote:It seems that one of the dashes in "-–to" is not a standard dash.
Connection tracking is this kind of stuff :
Note that iptables is being replaced with nftables, so if you are starting with it maybe you should learn to use nftables instead.Code: Select all
iptables -A FORWARD -i $LOCAL -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
But now I get: Bad argumnet '--dport'
Update: It was on different rule. It seems like a lot of -- did not contain a regular -
Re: Debian 10.1, iptables and DNAT not working
The first version was written using Notepad++ on a windows machine.p.H wrote:What editor did you use to write the script ?
When I installed vim I got syntax coloring and every place where one of the - was 'of the wrong type', I could see it easily (gray color, should have been red).
So far the syntax of the firewall script is OK.
BUT - I'm not able to get traffic through the firewall. I turned on logging and it show that something is f**d up.
When trying to go from ip 192.168.3.2 to a website on internet, I see
SRC=192.168.3.2 DST=192.168.3.31
The destination IP is the broadcast IP for that net. I have chekced 'ip route' and it say it has default GW to the Cisco router connecting the firewall to Internet.
Re: Debian 10.1, iptables and DNAT not working
Do you mean traceroute or?p.H wrote:Please show the full packet trace.
What do these subnet and address belong to ?
Traceroute from one host to a host on a different NIC say
Code: Select all
# from 192.168.3.3
$ traceroute 192.168.2.22
1 firewall (192.168.3.1) ....
2 firewall (192.168.3.1) ....
Here is my /etc/network/interfaces file:
Code: Select all
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
# This is the interface to Internet
allow-hotplug enp4s5
iface enp4s5 inet static
address 213.145.181.14
netmask 255.255.255.252
gateway 213.145.181.13
# DMZ-1
allow-hotplug enp4s6
iface enp4s6 inet static
address 192.168.2.1
netmask 255.255.255.0
auto enp2s0.104
iface enp2s0.104 inet static
address 192.168.3.1
netmask 255.255.255.224
vlan-raw-device enp2s0
auto enp2s0.105
iface enp2s0.105 inet static
address 192.168.3.33
netmask 255.255.255.224
vlan-raw-device enp2s0
auto enp2s0.106
iface enp2s0.106 inet static
address 192.168.3.65
netmask 255.255.255.224
vlan-raw-device enp2s0
auto enp2s0.107
iface enp2s0.107 inet static
address 192.168.3.97
netmask 255.255.255.224
vlan-raw-device enp2s0
auto enp2s0.108
iface enp2s0.108 inet static
address 192.168.3.129
netmask 255.255.255.224
vlan-raw-device enp2s0
auto enp2s0.109
iface enp2s0.109 inet static
address 192.168.4.1
netmask 255.255.255.224
vlan-raw-device enp2s0
# iface enp4s5 inet6 auto
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: Debian 10.1, iptables and DNAT not working
No, I mean the full message which included "SRC=192.168.3.2 DST=192.168.3.31".rabbagast wrote:Do you mean traceroute or?
Of course not. Your FORWARD rules do not allow packets in the NEW state (except from $INTERNET, which is just insane).rabbagast wrote:But no ssh traffic through the firewall.
Re: Debian 10.1, iptables and DNAT not working
I have removed the -m --state part of the FORWARD rules between the interfaces. That did not help.p.H wrote:No, I mean the full message which included "SRC=192.168.3.2 DST=192.168.3.31".rabbagast wrote:Do you mean traceroute or?
Of course not. Your FORWARD rules do not allow packets in the NEW state (except from $INTERNET, which is just insane).rabbagast wrote:But no ssh traffic through the firewall.
Part of the kern.log file (note, I previously wrote I tried from 192.168.3.2 but the correct is 192.168.3.3):
Code: Select all
Sep 10 14:11:37 firewall kernel: [17315.727664] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40537 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.728240] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40538 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.728293] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40539 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.728375] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40540 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.728624] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40541 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.728652] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40542 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.728873] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40543 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.728899] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40544 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.729120] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40545 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.729173] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40546 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.729371] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40547 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.729399] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40548 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.729620] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40549 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.729674] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40550 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.729871] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40551 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.729904] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40552 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.730122] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40553 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.730370] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40554 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.730619] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40555 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.730872] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40556 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.731125] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40557 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.731379] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40558 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.731626] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40559 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.731876] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40560 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.732124] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=40561 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK URGP=0
Sep 10 14:11:37 firewall kernel: [17315.732377] IN=enp2s0.104 OUT= MAC=00:15:17:cb:45:92:00:13:d4:46:e2:ca:08:00 SRC=192.168.3.3 DST=192.168.3.1 LEN=104 TOS=0x10 PREC=0x00 TTL=64 ID=40562 DF PROTO=TCP SPT=37318 DPT=22 WINDOW=724 RES=0x00 ACK PSH URGP=0
-
- Global Moderator
- Posts: 3049
- Joined: 2017-09-17 07:12
- Has thanked: 5 times
- Been thanked: 132 times
Re: Debian 10.1, iptables and DNAT not working
There is no LOG rule in your script, so how come there are iptables messages in the kernel log ?
I do not see DST=192.168.3.31 in these messages. Also they do not show forwarded traffic but packets sent to the firewall itself (DST=192.168.3.1), and are part of an established SSH connection (ACK), not connection requests (SYN).
Does the routing work properly at least if you remove all filtering and accept all packets ?
I do not see DST=192.168.3.31 in these messages. Also they do not show forwarded traffic but packets sent to the firewall itself (DST=192.168.3.1), and are part of an established SSH connection (ACK), not connection requests (SYN).
Does the routing work properly at least if you remove all filtering and accept all packets ?
Re: Debian 10.1, iptables and DNAT not working
Because I have modified and tried things in the script. I also use -j LOGACCEPT, LOGREJECT or LOGDROP.p.H wrote:There is no LOG rule in your script, so how come there are iptables messages in the kernel log ?
I do not see DST=192.168.3.31 in these messages. Also they do not show forwarded traffic but packets sent to the firewall itself (DST=192.168.3.1), and are part of an established SSH connection (ACK), not connection requests (SYN).
Does the routing work properly at least if you remove all filtering and accept all packets ?
The good news now is that things seem to work better (and don't ask what I did because as a novice on iptables I'm not usre - I'm used to work with CheckPoint FireWalls)
I'm able to ssh between hosts and I have incoming HTTP traffic to my web server. Not sure about my mail server yet, but when I try to send email from one of my internal hosts to another, I do not see anything in the mailservers log.
I first tried a rule:
iptables -A INPUT -p tcp -d 192.168.4.10 --dport 25 -m state --state NEW -j LOGACCEPT
Later I tried
iptables -A INPUT -p tcp -s 192.168.2.22 -d 192.168.4.10 --dport 25 -m state --state NEW -j LOGACCEPT
iptables -A INPUT -p tcp -s 192.168.3,3 -d 192.168.4.10 --dport 25 -m state --state NEW -j LOGACCEPT
I guess I have to try other things...
Note: All my postings has been done from a laptop using a mobil phone as accesspoint. Most of the text has been copied by writing what's on the firewalls monitor. So please excuse me for any typos.
Re: Debian 10.1, iptables and DNAT not working
Mail seem to work OK also.
But on one of the NICs there is a wireless router. It is not possible to access anything from a laptop using the wireless router. Can not see any reason for it. Access from workstations that is wired connected work fine.
But on one of the NICs there is a wireless router. It is not possible to access anything from a laptop using the wireless router. Can not see any reason for it. Access from workstations that is wired connected work fine.
Re: Debian 10.1, iptables and DNAT not working
No. But I saw what the problem was when I woke up in the morning. And it turned out to be the correct solution.
Again - thanks to all help I have got on this issue
Again - thanks to all help I have got on this issue