Hallo,
as first i want to thank all people who contributed to that great
piece of software. (Then sorry for my poor english.)
i'm not a member of any mailing list!
We had problems with iptables v1.2.1a and solved them.
But i want to point out some logic incosistencies in the logical
rule set.
We had a firewall with two interfaces
one ip on the interface towards the internet
one ip on the interface towards our private network
that firewall masqueraded all traffic form/to internet
every traffic comming from the internet to the official ip
on a special port 76 was forwarded to an inner private
ip to port 80 (second inner webserver - from now on www2)
the dns entry for www2 pointed to the ip address of the firewall
now we replaced that firewall with a linux version kernel 2.4.4
and iptables v1.2.1a
we gave that computer one interface for the internet side with some
more ip addresses
xxx:~ # ifconfig
eth0 Link encap:Ethernet HWaddr 00:A0:C9:9F:44:0B
inet addr:192.168.4.6 Bcast:192.168.4.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7616554 errors:0 dropped:0 overruns:0 frame:0
TX packets:7817610 errors:0 dropped:0 overruns:4 carrier:0
collisions:27270 txqueuelen:100
Interrupt:12
eth1 Link encap:Ethernet HWaddr 00:A0:C9:9E:BA:0F
inet addr:xxx.yyy.zzz.5 Bcast:xxx.yyy.zzz.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8740451 errors:0 dropped:0 overruns:0 frame:0
TX packets:7254103 errors:0 dropped:0 overruns:4 carrier:0
collisions:0 txqueuelen:100
Interrupt:10 Base address:0x2000
eth1:10 Link encap:Ethernet HWaddr 00:A0:C9:9E:BA:0F
inet addr:xxx.yyy.zzz.10 Bcast:xxx.yyy.zzz.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0x2000
eth1:12 Link encap:Ethernet HWaddr 00:A0:C9:9E:BA:0F
inet addr:xxx.yyy.zzz.12 Bcast:xxx.yyy.zzz.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0x2000
eth1:13 Link encap:Ethernet HWaddr 00:A0:C9:9E:BA:0F
inet addr:xxx.yyy.zzz.13 Bcast:xxx.yyy.zzz.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0x2000
eth1:14 Link encap:Ethernet HWaddr 00:A0:C9:9E:BA:0F
inet addr:xxx.yyy.zzz.14 Bcast:xxx.yyy.zzz.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0x2000
eth1:15 Link encap:Ethernet HWaddr 00:A0:C9:9E:BA:0F
inet addr:xxx.yyy.zzz.15 Bcast:xxx.yyy.zzz.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:67 errors:0 dropped:0 overruns:0 frame:0
TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
now we wanted to give the www2 an own official ip address
(xxx.yyy.zzz.15)
but it should be still accessible from the old port 76.
we changed the dns entries for www2 from the firewall adreess to the new
ip address.
all traffic from now on came to the new firewall to the address
xxx.yyy.zzz.15
we set up a rule for dnat:
$IPT -t nat -A PREROUTING -p tcp -s $IP_WORLD --sport 1024: -d
xxx.yyy.zzz.15 --dport 80 \
-j DNAT --to-destination ${IP_WWW2_INT}
every thing worked for the port 80
now we wanted to make a port redirect from the old port 76 to port 80
$IPT -t nat -A PREROUTING -p tcp -s $IP_WORLD --sport 1024: -d
xxx.yyy.zzz.15 --dport 76 \
-j REDIRECT --to-port 80
but we got the following deny log messages
kernel: INPUT IN=eth1 OUT= MAC=00:a0:c9:9e:ba:0f:00:03:e4:fa:d8:00:08:00
SRC=141.20.21.154 DST=xxx.yyy.zzz.5 LEN=60 TOS=0x00 PREC=0x00 TTL=59
ID=30812 DF PROTO=TCP SPT=1072 DPT=80 WINDOW=32120 RES=0x00 SYN URGP=0
so the kernel changed the destiny address to it's first address of eth1
ok we saw that way it won't work so we changed the redirection to dnat:
$IPT -t nat -A PREROUTING -p tcp -s $IP_WORLD --sport 1024: -d
xxx.yyy.zzz.15 --dport 76 \
-j DNAT --to-destination ${IP_WWW2_INT}:80
but then we got the following messages:
kernel: INPUT IN=eth1 OUT= MAC=00:a0:c9:9e:ba:0f:00:03:e4:fa:d8:00:08:00
SRC=141.20.21.154 DST=zzz.yyy.zzz.15 LEN=60 TOS=0x00 PREC=0x00 TTL=59
ID=30843 DF PROTO=TCP SPT=1073 DPT=76 WINDOW=32120 RES=0x00 SYN URGP=0
but we had already a rule for forwarding of traffic for port 80
then we added a rule for forwarding of port 76:
$IPT -A FORWARD -i $EXT -o ! $EXT -p tcp -s $IP_WORLD --sport 1024: -d
xxx.yyy.zzz.15 --dport 76 -j ACCEPT
and it works till now
so to point it out again:
- redirection changes the destination address
- prerouting doesn't affect forwarding (partly)?
only for further development
thanks again
--
Gruß
Lars Täuber
as first i want to thank all people who contributed to that great
piece of software. (Then sorry for my poor english.)
i'm not a member of any mailing list!
We had problems with iptables v1.2.1a and solved them.
But i want to point out some logic incosistencies in the logical
rule set.
We had a firewall with two interfaces
one ip on the interface towards the internet
one ip on the interface towards our private network
that firewall masqueraded all traffic form/to internet
every traffic comming from the internet to the official ip
on a special port 76 was forwarded to an inner private
ip to port 80 (second inner webserver - from now on www2)
the dns entry for www2 pointed to the ip address of the firewall
now we replaced that firewall with a linux version kernel 2.4.4
and iptables v1.2.1a
we gave that computer one interface for the internet side with some
more ip addresses
xxx:~ # ifconfig
eth0 Link encap:Ethernet HWaddr 00:A0:C9:9F:44:0B
inet addr:192.168.4.6 Bcast:192.168.4.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7616554 errors:0 dropped:0 overruns:0 frame:0
TX packets:7817610 errors:0 dropped:0 overruns:4 carrier:0
collisions:27270 txqueuelen:100
Interrupt:12
eth1 Link encap:Ethernet HWaddr 00:A0:C9:9E:BA:0F
inet addr:xxx.yyy.zzz.5 Bcast:xxx.yyy.zzz.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8740451 errors:0 dropped:0 overruns:0 frame:0
TX packets:7254103 errors:0 dropped:0 overruns:4 carrier:0
collisions:0 txqueuelen:100
Interrupt:10 Base address:0x2000
eth1:10 Link encap:Ethernet HWaddr 00:A0:C9:9E:BA:0F
inet addr:xxx.yyy.zzz.10 Bcast:xxx.yyy.zzz.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0x2000
eth1:12 Link encap:Ethernet HWaddr 00:A0:C9:9E:BA:0F
inet addr:xxx.yyy.zzz.12 Bcast:xxx.yyy.zzz.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0x2000
eth1:13 Link encap:Ethernet HWaddr 00:A0:C9:9E:BA:0F
inet addr:xxx.yyy.zzz.13 Bcast:xxx.yyy.zzz.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0x2000
eth1:14 Link encap:Ethernet HWaddr 00:A0:C9:9E:BA:0F
inet addr:xxx.yyy.zzz.14 Bcast:xxx.yyy.zzz.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0x2000
eth1:15 Link encap:Ethernet HWaddr 00:A0:C9:9E:BA:0F
inet addr:xxx.yyy.zzz.15 Bcast:xxx.yyy.zzz.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:67 errors:0 dropped:0 overruns:0 frame:0
TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
now we wanted to give the www2 an own official ip address
(xxx.yyy.zzz.15)
but it should be still accessible from the old port 76.
we changed the dns entries for www2 from the firewall adreess to the new
ip address.
all traffic from now on came to the new firewall to the address
xxx.yyy.zzz.15
we set up a rule for dnat:
$IPT -t nat -A PREROUTING -p tcp -s $IP_WORLD --sport 1024: -d
xxx.yyy.zzz.15 --dport 80 \
-j DNAT --to-destination ${IP_WWW2_INT}
every thing worked for the port 80
now we wanted to make a port redirect from the old port 76 to port 80
$IPT -t nat -A PREROUTING -p tcp -s $IP_WORLD --sport 1024: -d
xxx.yyy.zzz.15 --dport 76 \
-j REDIRECT --to-port 80
but we got the following deny log messages
kernel: INPUT IN=eth1 OUT= MAC=00:a0:c9:9e:ba:0f:00:03:e4:fa:d8:00:08:00
SRC=141.20.21.154 DST=xxx.yyy.zzz.5 LEN=60 TOS=0x00 PREC=0x00 TTL=59
ID=30812 DF PROTO=TCP SPT=1072 DPT=80 WINDOW=32120 RES=0x00 SYN URGP=0
so the kernel changed the destiny address to it's first address of eth1
ok we saw that way it won't work so we changed the redirection to dnat:
$IPT -t nat -A PREROUTING -p tcp -s $IP_WORLD --sport 1024: -d
xxx.yyy.zzz.15 --dport 76 \
-j DNAT --to-destination ${IP_WWW2_INT}:80
but then we got the following messages:
kernel: INPUT IN=eth1 OUT= MAC=00:a0:c9:9e:ba:0f:00:03:e4:fa:d8:00:08:00
SRC=141.20.21.154 DST=zzz.yyy.zzz.15 LEN=60 TOS=0x00 PREC=0x00 TTL=59
ID=30843 DF PROTO=TCP SPT=1073 DPT=76 WINDOW=32120 RES=0x00 SYN URGP=0
but we had already a rule for forwarding of traffic for port 80
then we added a rule for forwarding of port 76:
$IPT -A FORWARD -i $EXT -o ! $EXT -p tcp -s $IP_WORLD --sport 1024: -d
xxx.yyy.zzz.15 --dport 76 -j ACCEPT
and it works till now
so to point it out again:
- redirection changes the destination address
- prerouting doesn't affect forwarding (partly)?
only for further development
thanks again
--
Gruß
Lars Täuber