Iptables port forwarding

iptablesport-forwarding

I want to forward trafic destined at port 100 to 127.0.0.1:101. The actual goal is to forward to a different IP:PORT, but for the sake om just getting stuff to work I have a socket listening on *:100.
From this site, and google "iptables port forwarding howto", I've been lead to belive the syntax is as follows, which is part of my ruleset.

  #Set default policies to DROP

   iptables -P INPUT DROP

   iptables -P FORWARD DROP

   iptables -P OUTPUT DROP


   #Flush ruleset

   iptables -F

   iptables -t nat -F

   iptables -t filter -F


   #Allow local access

   iptables -A INPUT -i lo -j ACCEPT

   iptables -A OUTPUT -o lo -j ACCEPT


   #Allow ESTABLISHED,RELATED

   iptables -A INPUT -i eth0 -m sate --state ESTABLISHED,RELATED -j ACCEPT

   iptables -A OUTPUT 1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


   #Allow outbound SYN requests

   iptables -A OUTPUT -o eth0 -m state --state NEW -j accept


   #### The routing related

   # Allow SYN requests for the port-to-be-forwarded

   iptables -A INPUT -i $INET_IFACE -p tcp --dport 100 -m state --state NEW -j ACCEPT


   # Route to 127.0.0.1:101

   iptables -t nat -A PREROUTING -i eth0  -p tcp --dport 100 -j DNAT --to-destination 127.0.0.1:101


   # Accept the forward

   iptables -A FORWARD -t filter -i eth0 -p tcp --dport 101 -j ACCEPT


   # Accept all related in forward 

   iptables -A FORWARD -t filter -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j 
ACCEPT

My sysctl settings are:

 # sysctl -p

net.ipv4.ip_forward = 1

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.rp_filter = 1

net.ipv4.tcp_syncookies = 1

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.all.log_martians = 1

kernel.randomize_va_space = 1


 # cat /proc/sys/net/ipv4/conf/eth0/forwarding

nmap states the port is closed for connect() and SYN scans, but open|filtered for FIN and Xmas scans.

What am I missing ?

Best Answer

Solution was partly based om wolfgansz. As I was not originally registered as a user on serverfault, and have since cleared my cookies, it doesnt seem that I can just post a comment.

Default policies are DROP for INPUT and OUTPUT chains, and ACCEPT for FORWARD.

function add_forward {
# $1 = title
# $2 = internal host
# $3 = external port
# $4 = internal port
if [  "$2" == "" ] || [ "$3" == "" ] || [ "$4" == "" ]; then
  echo Skipping forward $1
else
  echo "Forwarding port "$3" to "$2" port "$4" ("$1")"
  $IPT -t nat -A PREROUTING -p tcp --dst $MYIP --dport $3 -j DNAT --to-destination $2:$4
  $IPT -t nat -A POSTROUTING -p tcp --dst $2 --dport $4 -j SNAT --to-source $VMNETIP
  $IPT -t nat -A OUTPUT --dst $MYIP -p tcp --dport $3 -j DNAT --to-destination $2:$4
fi
}

And finally to use it add_forward "My forward", "192.168.0.101" 100 101

$MYIP is defined as the eth0 public IP $VMNETIP is the vmware NAT interface

So all in all, this enables incoming connections on eth0:100 to be bridged through vmnet nat interface to a virtual machine..

Hopefully, this can help someone else as well.

The primary tool for debugging was tcpdump on both the host and guest system

"tcpdump -i eth0 port 100" for listening on the host. This revealed a problem with me setting an incorrect IP in the POSTROUTING rule which made eth0 just drop the packets.

Thanks for the help.

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Would it not be easier to switch off ssh forwarding on the ssh server? Just change AllowTcpForwarding from yes to no in your /etc/ssh/sshd_config. If this doesn't suit, you could try something along the lines of

iptables -A OUTPUT -o eth1 -p tcp --cmd-owner "sshd" -j DROP

Iptables – RHEL 6 Having issues forwarding port 80 to port 8080

I would say this is wrong approach. In any case, I wouldn't want to have JBoss (nor tomcat) to manage direct connections other then for test purpose. It's not designed to manage directly outside connections.

Option 1 Have apache web server proxy to 127.0.0.1:8080

You need this somewhere in your apache setup

LoadModule proxy_module  {path-to-modules}/mod_proxy.so
AddModule  mod_proxy.c

Or with apache2

$ sudo a2enmod proxy
$ sudo apache2ctl restart

And in virtual hosts you could have several apps

ProxyPass         /myapp  http://localhost:8080/myapp
ProxyPassReverse  /myapp  http://localhost:8080/myapp

or have a unique one

ProxyPass         /  http://localhost:8080/
ProxyPassReverse  /  http://localhost:8080/

after changing virtual hosts setting, no need to restart apache

$ sudo apache2ctl graceful

will update settings without dropping ongoing connections.

Option 2, using mod_ajp

$ sudo a2enmod proxy_ajp
$ sudo apache2ctl restart

adding this to your virtualhost

ProxyPass /app ajp://backend.example.com:8009/app

Assuming tomcat instance is configured to have ajp connector on port 8009. Check tomcat settings.

http://httpd.apache.org/docs/2.2/mod/mod_proxy_ajp.html

Option 3, using mod_jk http://tomcat.apache.org/connectors-doc/

You'll still have the other issue that is to configure JBoss as to create links to :80, that will be a JBoss setting problem... can't remember where it's set, all I can remember is that it took me a while to find out. I've preferred using the ajp connector so far.

Sorry, I don't have have access to a JBoss setup right now, perhaps someone can point us where is that setting.

Best Answer

Related Solutions

Ssh – iptables rules to block ssh remote forwarded ports

Iptables – RHEL 6 Having issues forwarding port 80 to port 8080

Related Topic