# iptables guru needed! [SOLVED]

## binro

I am trying to get port forwarding going so I can connect from the internet to a particular port on a particular host on my LAN. Googling, the iptables rules for this seem quite straight forward. Below is listed the output of "/etc/init.d/iptables save" with the key rules high-lighted:

# Generated by iptables-save v1.3.5 on Tue Sep 19 16:16:17 2006

*nat

:PREROUTING ACCEPT [2303036:146880326]

:POSTROUTING ACCEPT [4687665:248774312]

:OUTPUT ACCEPT [4684201:248497822]

[2:120] -A PREROUTING -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.2.10:22 

[6:380] -A POSTROUTING -s 192.168.2.0/255.255.255.0 -j MASQUERADE 

COMMIT

# Completed on Tue Sep 19 16:16:17 2006

# Generated by iptables-save v1.3.5 on Tue Sep 19 16:16:17 2006

*filter

:INPUT DROP [0:0]

:FORWARD DROP [5370:960808]

:OUTPUT ACCEPT [349009106:238159783251]

:block - [0:0]

[190032:72149464] -A INPUT -i xenbr0 -j ACCEPT 

[343387253:294524803023] -A INPUT -j block 

[593470:427306605] -A FORWARD -i xenbr0 -j ACCEPT 

[0:0] -A FORWARD -i eth0 -o tap0 -m state --state RELATED,ESTABLISHED -j ACCEPT 

[0:0] -A FORWARD -p udp -m udp --dport 123 -j ACCEPT 

[0:0] -A FORWARD -p udp -m udp --dport 5000:5100 -j ACCEPT 

[0:0] -A FORWARD -p tcp -m tcp --dport 30000:30010 -j ACCEPT 

[6:360] -A FORWARD -d 192.168.2.10 -p tcp -m tcp --dport 22 -j ACCEPT

[8981:11323557] -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT 

[227008:204216747] -A OUTPUT -o xenbr0 -j ACCEPT 

[73:5913] -A OUTPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT 

[19530:24361359] -A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT 

[332885397:293868543886] -A block -m state --state RELATED,ESTABLISHED -j ACCEPT 

[435972:25769768] -A block -s 127.0.0.1 -j ACCEPT 

[214481:29877816] -A block -s 192.168.0.0/255.255.0.0 -j ACCEPT 

[5:300] -A block -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT 

[0:0] -A block -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT 

[5484:326816] -A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -j ACCEPT 

[42210:2220072] -A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 25 -j ACCEPT 

[7597:462452] -A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT 

[1010:45378] -A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 110 -j ACCEPT 

[24:1464] -A block -p udp -m state --state NEW,ESTABLISHED -m udp --dport 123 -j ACCEPT 

[16:896] -A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 389 -j ACCEPT 

[203:10172] -A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -j ACCEPT 

[0:0] -A block -p udp -m state --state NEW,ESTABLISHED -m udp --dport 4444 -j ACCEPT 

[0:0] -A block -p udp -m state --state NEW,ESTABLISHED -m udp --dport 6891:6892 -j ACCEPT 

[0:0] -A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 6891:6892 -j ACCEPT 

[7564813:384565424] -A block -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 55000:55009 -j ACCEPT 

[950727:103978461] -A block -j ULOG --ulog-prefix "netfilter" 

[1769946:186062106] -A block -j REJECT --reject-with icmp-host-prohibited 

COMMIT

# Completed on Tue Sep 19 16:16:17 2006

# Generated by iptables-save v1.3.5 on Tue Sep 19 16:16:17 2006

*mangle

:PREROUTING ACCEPT [344066011:295092875307]

:INPUT ACCEPT [343645034:294653170640]

:FORWARD ACCEPT [653594:471474208]

:OUTPUT ACCEPT [349289906:238421161486]

:POSTROUTING ACCEPT [379955756:239495313363]

COMMIT

# Completed on Tue Sep 19 16:16:17 2006

When I call from a dial-up session "ssh -p 2222 root@my.domain" I just get a time-out. The router has firewalls disabled and the host with the iptables rules is in the DMZ. The target host has no firewall active. Can anyone see what rule could be blocking things? Clearly there is some activity - [6:360].

TIA

----------

## JeliJami

I think you still need 

```
-A INPUT --dport 2222 -j ACCEPT
```

and

```
echo 1 > /proc/sys/net/ipv4/ip_forward
```

----------

## binro

Thanks for the suggestions. ip_forwarding is already enabled and

 *davjel wrote:*   

> I think you still need 
> 
> ```
> -A INPUT --dport 2222 -j ACCEPT
> ```
> ...

 

should be 

```
-A INPUT -p tcp -m tcp --dport 2222 -j ACCEPT
```

to avoid syntax errors, but it didn't help anyway.   :Sad: 

----------

## dleverton

 *binro wrote:*   

> [6:380] -A POSTROUTING -s 192.168.2.0/255.255.255.0 -j MASQUERADE 

 

Are you sure you need this rule?  I'm no guru, but it looks like it might interfere.

EDIT: actually, I think I'm talking rubbish.  But try it anyway.  :Wink: Last edited by dleverton on Tue Sep 19, 2006 1:48 pm; edited 1 time in total

----------

## binro

 *dleverton wrote:*   

>  *binro wrote:*   [6:380] -A POSTROUTING -s 192.168.2.0/255.255.255.0 -j MASQUERADE  
> 
> Are you sure you need this rule?  I'm no guru, but it looks like it might interfere.
> 
> EDIT: actually, I think I'm talking rubbish.  But try it anyway. 

 

That rule is to route traffic back the other way from the virtual machine to the internet: the 192.168.2.0 subnet is the source in this case.

----------

## dleverton

 *binro wrote:*   

> That rule is to route traffic back the other way from the virtual machine to the internet: the 192.168.2.0 subnet is the source in this case.

 

Yeah, sorry, I wasn't paying enough attention.  :Embarassed:  Have you tried tcpdump (or similar) on either the router or the machine you're trying to connect to?  Also, since you mention virtual machines, is the target host real or virtual?

----------

## binro

So far I have avoided tcpdump in the hope that someone can spot something obvious! The target host is in fact a CentOS Linux/390 running on top of Hercules: it is perfectly happy and I can ssh in from the hosting real machine without any problems, it is just the routing from the internet that is not working. FWIW I had exactly the same problem trying to route to a real machine on the 192.168.1.0 LAN.

----------

## dleverton

 *binro wrote:*   

> [593470:427306605] -A FORWARD -i xenbr0 -j ACCEPT 
> 
> [0:0] -A FORWARD -i eth0 -o tap0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
> 
> [0:0] -A FORWARD -p udp -m udp --dport 123 -j ACCEPT 
> ...

 

Which interface are you using to talk to the target host?  Unless it's xenbr0 (I'm not familiar with Hercules, but by the name of this interface I assume it's for Xen, not Herc) or eth0 (seems unlikely for a VM, but as I say I'm not familiar) it looks like you forgot to add a rule to ACCEPT the target's reply.

----------

## binro

Hercules uses tun0 and there is already a rule for that. The problem is I can see nothing in the CentOS logging. What rule did you have in mind? The resources I found from Google are quite explicit: just the two rules I started off with.

----------

## dleverton

 *binro wrote:*   

> [8981:11323557] -A FORWARD -i eth0 -o tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT 
> 
> 

 

This is the only rule I can see that mentions tun0, and it only covers packets going from the network to the VM.  You also need one with the -i and -o reversed.

----------

## binro

Ok, that did the trick, verily thou art truly a guru!   :Very Happy:  Now to confirm your genius, do you have any idea why once ssh'ed into the virtual machine I cannot ping other hosts on the LAN or the internet? This worked once, as you can see from the traffic stats.

TIA

----------

## dleverton

 *binro wrote:*   

> Ok, that did the trick, verily thou art truly a guru!   Now to confirm your genius, do you have any idea why once ssh'ed into the virtual machine I cannot ping other hosts on the LAN or the internet? This worked once, as you can see from the traffic stats.
> 
> TIA

 

Try removing the "-m state --state RELATED,ESTABLISHED" part from the rule you just added (ie, the one that allows traffic from tun0 to eth0).  And if I was a real guru I'd have mentioned that in the first place.  :Rolling Eyes: 

----------

## binro

I stand in awe, personally I hate bloody firewalls. Anyway I am now communicating in both directions thanks to you. Until the next time...

Cheers!

----------

