Iptables – fwbuilder: Port forwarding works from outside, but not inside

fwbuilderiptablesnat;

I'm hoping there's something obvious I've missed here. I have NAT rules set up to forward a few different ports to an internal machine. When a request comes in from the internet, everything works as planned.

However, if I hit my external IP from inside the network with the same port, the request terminates at the firewall machine instead of being forwarded to the right place.

Is there something obvious that I'm doing wrong? The generated iptables rules are below.

# Generated by iptables-save v1.4.4 on Wed Sep  7 20:36:37 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Cid4488E49C.0 - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -s 10.0.0.11/32 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -m state --state NEW -j ACCEPT 
-A INPUT -s XXX.XXX.XXX.XXX/32 -m state --state NEW -j ACCEPT 
-A INPUT -s 10.0.0.1/32 -m state --state NEW -j ACCEPT 
-A INPUT -p tcp -m tcp -m multiport --dports 5050,22,5900 -m state --state NEW -j ACCEPT 
-A INPUT -p udp -m udp --dport 67 -m state --state NEW -j ACCEPT 
-A INPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT 
-A INPUT -j DROP 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -d 10.0.0.11/32 -p tcp -m tcp --dport 5900 -m state --state NEW -j ACCEPT 
-A FORWARD -d 10.0.0.10/32 -p tcp -m tcp --dport 5050 -m state --state NEW -j ACCEPT 
-A FORWARD -s 10.0.0.0/24 -m state --state NEW -j ACCEPT 
-A FORWARD -j DROP 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -d 10.0.0.11/32 -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -o lo -m state --state NEW -j ACCEPT 
-A OUTPUT -m state --state NEW -j ACCEPT 
-A OUTPUT -p tcp -m tcp -m multiport --dports 5050,22,5900 -m state --state NEW -j Cid4488E49C.0 
-A OUTPUT -p udp -m udp --dport 67 -m state --state NEW -j Cid4488E49C.0 
-A OUTPUT -d 10.0.0.11/32 -p tcp -m tcp --dport 5900 -m state --state NEW -j ACCEPT 
-A OUTPUT -d 10.0.0.10/32 -p tcp -m tcp --dport 5050 -m state --state NEW -j ACCEPT 
-A OUTPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT 
-A OUTPUT -j DROP 
-A Cid4488E49C.0 -d XXX.XXX.XXX.XXX/32 -j ACCEPT 
-A Cid4488E49C.0 -d 10.0.0.1/32 -j ACCEPT 
COMMIT
# Completed on Wed Sep  7 20:36:37 2011
# Generated by iptables-save v1.4.4 on Wed Sep  7 20:36:37 2011
*nat
:PREROUTING ACCEPT [114:15633]
:POSTROUTING ACCEPT [1:48]
:OUTPUT ACCEPT [1:48]
-A PREROUTING -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5050 -j DNAT --to-destination 10.0.0.10:5050 
-A PREROUTING -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.11:5900 
-A POSTROUTING -s 10.0.0.0/24 -o eth1 -j MASQUERADE 
-A OUTPUT -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5050 -j DNAT --to-destination 10.0.0.10:5050 
-A OUTPUT -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.11:5900 
COMMIT
# Completed on Wed Sep  7 20:36:37 2011

Best Answer

If you are connecting to the 10.0.0.10 server from another machine on the 10.0.0.0/24 network there could be a problem with the way packets are routed. For example, if your source is 10.0.0.99 and you connect to 10.0.0.10 via the public IP address, the response packets from the 10.0.0.10 server will be sent directly to 10.0.0.99 which will drop them since it doesn't have a half-open connection with 10.0.0.10 (the half-open connection is with the public IP).

One possible solution is double NAT. Here's an example:

http://www.fwbuilder.org/4.0/docs/users_guide5/double_nat.html

Btw, a better place to get fwbuilder support is from either the fwbuilder mailing list or discussion forum on SF.

http://sourceforge.net/projects/fwbuilder/forums/forum/16372

https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion

Related Topic