iptables & port-forwarding

Lemming

hey guys,

I'm trying to figure out how to enable port-forwarding withing bjorking up an entire network's routing.

Currently,

there exist 'n' machines which connect to the internet via a server which SNAT's them. This server is also hosting web services (http, smtp, ftp).

What I want to do is have 'n' machines connecting to the internet via the server, but the services also sit behind the firewall, rather than on it. So I need to DNAT traffic.


LAN_IF = 10.1.0.* (being a user machine)
WEB_IF = 10.1.0.n (being the http/smtp/etc server)

FIREWALL (has two interfaces)
-> INT_IF (eth1) = 10.1.0.n (internal network address)
-> EXT_IF (eth0) = x.x.x.x (world useable IP address)


Current iptable rule allowing NAT:

iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/24 -j SNAT --to $EXT_IF


if I add the following:

# for external traffic coming ni
iptables -t nat -A PREROUTING --dst $EXT_IF --dport 80 -j DNAT --to-source $WEB_IF
iptables -t nat -A PREROUTING --dst $EXT_IF --dport 25 -j DNAT --to-source $WEB_IF


#for internal network traffic
iptables -t nat -A POSTROUTING --dst $WEB_IF --dport 80 -j SNAT --to-source $LAN_IF

iptables -t nat -A POSTROUTING --dst $WEB_IF --dport 25 -j SNAT --to-source $LAN_IF

will it cock up normal web traffic coming back into the network (related/established/etc). Will I need to specify incoming external traffic that seeks to negotiate a connection is redirected?

etc.

fractal

Im not 100% sure but I dont see that you should have any problems using those rules...

As far as I can see they will only cock up if there is your webserver on port 80 and for some reason another machine on your internal net is listening on port 80.

This shouldnt happen unless you've told it to because ports below 1000 are reserved. No?

Lemming

Where my biggest worry comes from is when an internal machine makes a request to an external website. The traffic is coming back on port 80 and could be redirected to the webserver, which needless to say would not be a good state of affairs.

My understanding is that iptables keeps track of the connection and would thus know not to go redirecting it elsewhere. Is this so or have I misinterpreted it ?

fractal

Hey Lemming,

Where my biggest worry comes from is when an internal machine makes a request to an external website. The traffic is coming back on port 80 and could be redirected to the webserver, which needless to say would not be a good state of affairs.

This is where I dont think you're right... Just because a web browser, wget or summat makes a request for a service on port 80 on a remote machine doesnt mean that the remote machine replies to the same port.

That is to say IE doesnt necessarily work off of port 80 to get replies from websites. Nor does Netscape. Ever noticed that you cant run 2 services on the same port at the same time on 1 machine but 2 different web browsers will happily run along side each other.

So I dont think you have to worry about traffic destined for a web-BROWSER making its way to your web-SERVER..
So in that respect you are safe.

I know that nat in the linux kernel does keep track of connections but having only a basic knowledge of IP I cant really comment on how this works.

Just outta interest how many people would you be affecting if you tried this and it didnt work? I mean if a few ppl get kicked off the net for a few mins its not the end of the world..

Lemming

Originally posted by fractal
Hey Lemming,



This is where I dont think you're right... Just because a web browser, wget or summat makes a request for a service on port 80 on a remote machine doesnt mean that the remote machine replies to the same port.

/me smacks forehead!

GAHHH stupid me!! Kept thinking interms of all HTTP communications traversing via port 80 for some obscure reason. Only the server operates on port 80. Dumb me!

Just outta interest how many people would you be affecting if you tried this and it didnt work? I mean if a few ppl get kicked off the net for a few mins its not the end of the world..

My life expectancy would probably be about 5 minutes .......

True, wouldn't be the end of the world, but try telling that to a bunch of developers going through withdrawal ....

Lemming

just realised something.

I eventually want to have two servers running behind this firewall. One running http and the other smtp. But the one running smtp has a webmail feature too.

If I'm port-forwarding based on port 80, how do I get around this potential problem

the http server will be to a doman.extension website, and I was perhaps contemplating assigning a virtual.domain.extension to the smtp webmail service.

Anyone got any ideas about how to deal with this?

crowbar

typically you'd use a second ip address for your mail+webmail server, and write similar rules to you have there already for the second address. however if you don't have a second address, then you'll have to use a port other than 80 and 25 for the webmail server. hopefully the port used is configurable on your webmail server. if not, then you could redirect (say) requests to port 8000 on your external ip address to port 80 on your webmail server, then access webmail using http://ipaddr:8000/. i'm no iptables expert, but the manual page suggests something like:

iptables -t nat -A PREROUTING --protocol tcp --dst $EXT_IF --dport 8000 -j DNAT --to-destination $MAIL_IF:80

however - whether this works depends on the way your webmail server generates urls in the pages it returns. if it uses relative urls (eg. <a href="readmsg.asp">) or root relative urls (eg. <a href="/cgi-bin/script.php?readmsg&id=123">) then redirecting the port should be okay as the browser remembers the :8000 bit in the url. if in the unlikely case it uses absolute urls (eg. <a href="http://mail/cgi-bin/compose.asp"&gt;), there will be a world of hurt trying to get port redirection working ...