Ubuntu Security :: Iptables Not Allowing Port Forwarding
Sep 5, 2010
I've got two virtual machines running, the first VM (VM1) has two network interfaces, one bridged with my real lan, one a private subnet. The second VM (VM2) has one nic, only on the private subnet.
I have VM1 acting as a router for VM2, giving access to my real lan for internet access. The problem I'm having is I cannot get VM1 to forward ports 80 (http) or 222 (ssh) to VM2 from my real lan.
Here is the script I've cobbled together from various (foreshadowing!) locations:
I have a mail server on which I would like to block port 25 on my eth0 for everyone except our external spam filter. the problem is that I want our users to be able to connect via port 10025 which is forwarded to port 25, which then is blocked...
I am using ubuntu 8.40 as a router wit 2 nic.eth0 is for local and eth1 is for external network.i have a internal webserver in my lan and want to forward some ports to the net and i executed te following commands.
I have a CentOS box which is Internet Facing. It has 3 LAN's connected to it which are for virtual machines.
I want to port forward port 445 to a machine on one of the LAN interfaces. I have tried various ways to get it done, but still cannot access that port from the interface. I definately know device hosting port 445 is live, as I can ping it from the CentOS box and use lynx to access it! (It's a web server)
I've been Googling about port forwarding iptables and even though there's result and I've applied it in my script, I can't make iptables forwading request to another machine so I decided to ask help.
eth0 is my Internet Interface (1.2.3.4 is the public ip) eth1 is my Lan Interface eth2 is my DMZ Interface
I have a server running debian squeeze and kvm to virtualize a Windoze box. It's setup to use NAT. This is because of limits on the network by the admin and unfortunately, there isn't a way to get around this.
how to set an external static IP address to forward to an internal static IP address. Here is an example:
Linux box (slackware) IP address = eth0: 10.xxx.xxx.xxx (internal) eth1: xxx.xxx.xxx.170 eth1.0: xxx.xxx.xxx.171 eth1.1: xxx.xxx.xxx.172
DVR system that I need to forward to: IP address = xxx.xxx.xxx.251 xxx.xxx.xxx.252
This was all setup by someone else whom I have never spoken with. The IP tables seems to be set up but I cannot provide a screen shot at this time. What I need to do is this. When a user connects to the external static IP address of xxx.xxx.xxx.171 with their DVR software, IP tables will forward to the DVR system at xxx.xxx.xxx.251. The ports desired are 554,555,556, and 557. I know some about Linux but not about IPtables.
iam using arno iptables can give me command to ip forwarding cause my web server behind my router. my ip web server 192.168.0.11 and my ip router on eth 1 192.168.0.1 and eth0 i use to dial up my modem and i use pppoe for that.
I've been beating myself over the head with iptables and CANNOT get port forwarding to work. Here's my situation: Static LAN IP on eth0 Static internet IP on eth1 ip_forward is turned on by uncommenting in sysctl.conf Here's the output of iptables-save:
Code: # Generated by iptables-save v1.4.4 on Tue Mar 8 10:34:12 2011 *nat :PREROUTING ACCEPT [2443:347058]
[Code]...
Edit: by the way, the intended purpose of this machine is to server as a gateway and firewall. MASQUERADE is working, for whatever that is worth. And the host behind the firewall that is serving up http is definitely working too. All that is not working is getting hosts on the internet talking to hosts behind the firewall.
sudo ssh -L 750:192.168.123.103:873 username@192.168.123.103It does exactly what it's supposed to do, but how do i edit / remove this rule?Is there some config file where i can alter the forwarding? How does it get stored?Im using Ubuntu 10.10Server Edition (allthough i recon it would be pretty much the same across all versions
I've used iptables since it replace ipchains, and I've never had a problem like this.The problem is, as you can see by the title, that port forwarding simply does not work.
network topology: Slackware Linux Server: eth0 - LAN (192.168.0.0/25) eth1 - DSL Static IP eth2 - cable Static IP
eth1 is our standard office connection; it handles all of our default traffic (web browsing for the staff, email, etc). eth2 is our VPN connection, as well as use for all incoming connections (www, etc). Behind the linux box I have a series of Windows Server 2008 R2 boxes that are used to run our office software, website, etc - I don't care how nice they make their products these days, I simply don't trust any MS box open to the net. Therefore, this leaves me with having to port forward port 80 from eth2 to the internal IP address of the web server.
My ruleset is as follows:
$WWW - ip address of the web server iptables -A FORWARD -d $WWW -p tcp --dport 80 -j ACCEPT iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j DNAT --to $WWW
Running ip route shows that I have routing entries for all 3 networks, and I can ping, ssh, etc to any of the addresses without issue. OpenVPN connects across eth2 as well, and all 15 of my VPN tunnels work fine. However - and here's the kicker - if I delete the default route and replace it with the route for eth2, port forwarding works fine.
I have a linux server I'm intending to use as a firewall. The server has the following adapters
eth0 - Public IP (VLAN2) eth0:1 - Public IP2 (VLAN2) eth1 - 10.241.4.4 (VLAN4)
the Default gateway is my ISPs gateway. Additionally, I have the following route set: route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.241.4.1
I have a server that exists on VLAN 208 at IP 10.241.209.67/21., its GW is 10.241.208.1 (first IP in /21 range)
as it is on the 10.0.0.0/8 network, traffic from the firewall is successfully routed from that server through my router to the FW and out to the Internet. The FW can ping, ssh, etc... the server and vice versa.
I want an iptables rule that will allow me to forward port 4401 on eth0:1 to 10.241.209.67:4401.
Is this possible since the IP is not on the same subnet as eth1, even though it is accessible?
I'm a bit better than a neophyte linux user. I have not made port forwards with it in the past without scripts to assist so I'm looking for not just "it is possible", but also the syntax of how to add it.
I have the following setup and Im trying to forward all incoming connection on port 1194 on eth2 which is the external network to ip 192.168.10.100, but seems its not working.
Current config:
# Generated by iptables-save v1.3.8 on Sun Nov 16 00:00:54 2008 *nat :PREROUTING ACCEPT [26751696:2175544875] :POSTROUTING ACCEPT [339911:19096812]
and the same its not working. Connecting thru telnet to the domain: telnet mydomain.org 1194 doesnt work, but within the server, running telnet 192.168.10.100 1194 it works.
i've got a few questions about iptables. i know how to set up ip tables to only allow from an ip address or a subnetting ip addresses. question is how do i allow from 2 different networks? would i need to create 2 lines of entry in iptables to the same port? e: allow 10.168.1.1 and 196.168.1.1 on port 22 is there a way to put all that in 1 line or would i need to create to rules for the port? i know i can use the ssh allow or deny but i'd like to stop access even before it gets to the ssh. stop it at the source kinda thing.
I don't think there is a hidden firewall in the switch but if these commands are correct, then I may need to contact my ISP and see if they are blocking the commands. I just wanted to make sure I was not doing some stupid mistake before I try to contact my ISP.
EDIT: Also, is it possible to forward Port 80 requests to different servers depending on the hostname used to connect, so say [URL] redirects to server xxx.xxx.xxx.15 while hhh.com redirects to xxx.xxx.xxx.16?
I'll explain this in one sentence: Is it possible to program a port-binding shellcode in which people across the Internet can connect to, without being thwarted by the router blocking their data because the port its bound to doesn't allow port-forwarding
I'm new to linux, but enjoy using it very much, especially without a GUI, console is fun! I need to set up port forwarding. We have 3 servers, 1x running Ubuntu server 8.04 (used as transparent proxy), 1x server 2003, 1x windows xp.
The linux box has the following ips: eth0 (internal) 192.168.1.5 eth1 (external) 192.168.0.7
Windows server 2003: 192.168.1.6
Windows XP: 192.168.1.9
Router: 192.168.0.1
The router automatically forwards specific ports to 196.168.0.7 (Linux eth0). From there I want to forward port 8585 to 192.168.1.6 and 3000 to 192.168.1.9. Is there a way that I can do this using iptables?
The commands that I think I'm gonna use look like this: iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 8585 -d 192.168.1.6 -j ACCEPT iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 3000 -d 192.168.1.9 -j ACCEPT
Would this be a correct way of doing it? My biggest problem is that I can't test it without going live, and if I go live and something doesn't work, the entire building will be left without internet, people will hate me. Also, The proxy captures all data on port 80 and forwards it to 3128 so that the proxy can monitor the usage, and a few systems runs fine with it, others however can ping websites, and internet explorer says "website found, waiting for reply" but the webpages cannot be displayed.
I am using dyndns to keep track of my smartphone's ip address. The idea is to be able to ssh into my home network, protected by an iptables firewall. If I use the command: # iptables -I INPUT 9 -s myname.dyndns.org -p tcp -m tcp --dport 22 -j ACCEPT it updates using the current ip address, but the next time I get an ip address update to my phone and update dyndns to properly provide nslookups, this is not being updated in iptables unless I restart my firewall. Is there a better way to do this?
Im running a web server on port80, but i want traffic coming from ip 212.333.111.222 on port 80 to be fowarded to port 9020 on the same server that my web server is rinning at that is my sshd port
I have a computer with two interfaces eth0(LAN) and eth1(WAN).I have followed some guides on the internet and came up with this iptables configuration:
# Generated by iptables-save v1.4.4 on Wed Apr 20 09:43:12 2011 *nat :OUTPUT ACCEPT [0:0]
As it stands I have a small home network operating behind my modem/router. Some of the ports on this are forwarded to my PS3 for gaming but I was looking at forward some for my file server.
At the moment I've forwarded port xxx22 to port 22 on my server for SSH for instance. ANd similarly 21 for FTP (although it doesnt seem to want to connect for any more than a few seconds using that). What I was thinking of doing was placing a small website for a handful of ppl to use on the server too and port forward again - xxx80 to 80. It works just fine but I'm a little concerned on the security front.
As I've moved the port to something different from the outside world I'm presuming I will have already cut the potential for malicious folks to wander in but is there anything else I should be doing? At the moment there's no firewall operating on the server, usually as its hidden behind the modem/router. But if I open this thign up more permanently what should I be doing? I've read a few articles on it but I'm always left with the overwhelming thought of "Thats if theres no firewall in my router" as they just seem to do the same.
Is there any way to verify if packets being trafficked over a certain port are valid for the service you want to use this port for?
One obvious example that probably clarifies my question: When I open port 443 (outgoing or incoming) for https/ssl traffic, I don't want this port to be used for say openvpn traffic. Thus: when someone wants to surf to a website with https, it should be ok but if someone wants to connect to his home openvpn server over that same port, it should be blocked.
Up to now I've been playing with Ubuntu whilst storing important data elsewhere for about 2 years. Now I'm ready to move to Ubuntu completely but want to address my security.I'm currently using a desktop and server behind a hardware firewall / Internet router. The router has DynDNS and forwards port 80 to the webserver and a port I picked at random to the desktop 22 for SSH with private keys. SSH passwords are disabled.
The first question is, is there a danger of running different security levels on the two machines? I don't care about the server, there is no data on it so I currently forward port 80 and am considering forwarding ports 631 (CUPS) and a port for LDAP. Will this effect my desktop (which has info I don't want to loose).The next question is whether port forwarding / hardware firewall is actually a safeguard against attack.
I'm trying to SSH into my home computer from a remote location outside of my house's LAN and can't figure out remote port fowarding.
The guide here says to use the following:
Code:
I've tried connecting to my home computer through many combinations of the syntax listed above, read the man file, and looked online for help. But can't find out the proper syntax or a good guide that isn't written for Windows users using Putty.
Let's assume for the sake of simplicity that the public IP address of my home SSH server is 123.123.123.123, the private IP address of my home SSH server is 192.168.1.100, my home SSH port is 2222, and the SSH port at my current location is is 22. How would I write out the command?
Every time I try to connect I get a "connection times out" error.
I have just set up shorewall on my router running Arch Linux. The external network is on eth0 and the internal network on eth1.I have set it up for masquerading and that works fine and I can open ports to the firewall. But I'm having trouble with port forwarding to my internal machines.The problem I have is that when port 22350 is forwarded to 192.168.1.3 on my local network, checking the port with nmap from a remote computer gives me:
If I forward port 5764 to port 80 to my VOIP device, I can nmap and get a proper connection. If I forward port 5764 to port 22 to my server, it comes up filtered. It even happens if I try forwarding port 80 to my server. So I'm sure it has something to do with my server, but I'm not sure.Here's my Linksys iptables:
I'm having a mare with SSL with Apache. I have set it up and if I go to the follwoing address http://192.168.1.2 it seems to work and the pages are delivered to my browser. However if I try to access it from an exernal PC it will not work.
I can get to the non-ssl part of the site so the static ip is resolved and the port forwarding all works.
Does any one have any ideas (and in fact i think I may have just solved it - Ports - 80 mis open but I haven't done anything with 443. Will check it out and post back.
I've recently installed 10.10 server edition, and I must say it was a pleasant suprise, it's just the way I like it. I use it as a squeezebox-server. But I've run into a problem with the firewall. I did a portscan, which told me there are more ports open then I've told UFW to open. Among which port 25 and 119, when I telnet from another PC to those ports, the connection gets accepted, although there is no answer to any commands (as expected, there's no mail server running). Iptables print-outs also don't mention anything about the respective ports or a daemon that could be responsable, and the same applies to "ps -e" or "ps aux".
Iptables seems to be working, when I remove the rules to allow samba to work, I can't reach the shares, and when I insert them again I can reach the shares. "sudo ufw deny from any" as last rule doesn't change anything either (deny incoming is default (although I never issued the command "ufw status verbose" says it is) so it shouldn't, but ports 25 and 119 shouldn't be open either).
I would like to allow incoming and outgoing connections when I'm connected to a wired connection, but drop it otherwise. I noticed that ufw can't block outgoing traffic because of will I give iptables a try. I'm unsure if dropping packages that are outgoing will work, the rule after the block rule will allow all outgoing connections.
This what the rules are intended to do, unsure if that is actually the case. Allow all loopback traffic. Allow ping replys Allow incoming on port 12345 if eth0, deny otherwise. Allow outgoing on port 12346 if eth0, deny otherwise.
Code: iptables -A FORWARD -j DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp --icmp-type 0 -s -m state --state ESTABLISHED,RELATED -j ACCEPT
I'm trying to open port 119. I already have a few ports open. I've used webmin to open both incoming and outgoing ports. iptables --list --numeric gives me:
