1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Port forwarding: Works to other device, but not server

Discussion in 'Tomato Firmware' started by ACiD GRiM, Dec 7, 2009.

  1. ACiD GRiM

    ACiD GRiM Addicted to LI Member

    If I forward port 5764 to port 80 to my VOIP device, I can nmap and get a proper connection. If I forward port 5764 to port 22 to my server, it comes up filtered. It even happens if I try forwarding port 80 to my server. So I'm sure it has something to do with my server, but I'm not sure.

    Here's my Linksys iptables:

    Code:
    :wanin - [0:0]
    -A FORWARD -i vlan1 -j wanin
    -A wanin  -p tcp -m tcp -d 192.168.2.2 --dport 80 -j ACCEPT
    -A wanin  -p udp -m udp -d 192.168.2.8 -m mport --dports 5060,5061 -j ACCEPT
    -A wanin  -p udp -m udp -d 192.168.2.8 --dport 10000:20000 -j ACCEPT
    # cat /etc/iptables |grep 80   
    -A PREROUTING -p tcp  -d xx.xx.xx.xx--dport 5764 -j DNAT --to-destination 192.168.2.2:80
    -A POSTROUTING -p tcp --dport 80 -s 192.168.2.1/255.255.255.0 -d 192.168.2.2 -j SNAT --to-source xx.xx.xx.xx
    -A wanin  -p tcp -m tcp -d 192.168.2.2 --dport 80 -j ACCEPT
    # cat /etc/iptables         
    *mangle
    :PREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    COMMIT
    *nat
    :PREROUTING ACCEPT [0:0]
    :POSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A PREROUTING -i vlan1 -d 192.168.2.1/255.255.255.0 -j DROP
    -A PREROUTING -p udp -s 192.168.2.1/255.255.255.0 ! -d 192.168.2.1/255.255.255.0 --dport 53 -j DNAT --to-destination 192.168.2.1
    -A PREROUTING -p icmp -d xx.xx.xx.xx -j DNAT --to-destination 192.168.2.1
    -A PREROUTING -p tcp -m tcp  -d xx.xx.xx.xx --dport 56983 -j DNAT --to-destination 192.168.2.1:443
    -A PREROUTING  -p tcp -m tcp -d xx.xx.xx.xx --dport 56982 -j DNAT --to-destination 192.168.2.1:22
    -A PREROUTING -p tcp  -d xx.xx.xx.xx --dport 5764 -j DNAT --to-destination 192.168.2.2:80
    -A POSTROUTING -p tcp --dport 80 -s 192.168.2.1/255.255.255.0 -d 192.168.2.2 -j SNAT --to-source xx.xx.xx.xx
    -A PREROUTING -p udp  -d xx.xx.xx.xx -m mport --dports 5060,5061 -j DNAT --to-destination 192.168.2.8
    -A POSTROUTING -p udp -m mport --dports 5060,5061 -s 192.168.2.1/255.255.255.0 -d 192.168.2.8 -j SNAT --to-source xx.xx.xx.xx
    -A PREROUTING -p udp  -d xx.xx.xx.xx --dport 10000:20000 -j DNAT --to-destination 192.168.2.8
    -A POSTROUTING -p udp --dport 10000:20000 -s 192.168.2.1/255.255.255.0 -d 192.168.2.8 -j SNAT --to-source xx.xx.xx.xx
    -A POSTROUTING -o vlan1 -j MASQUERADE
    COMMIT
    *filter
    :INPUT DROP [0:0]
    :OUTPUT ACCEPT [0:0]
    -A INPUT -i br0 -d 69.92.51.22 -j DROP
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i br0 -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp  -m tcp -d 192.168.2.1 --dport 443 -j ACCEPT
    -A INPUT -p tcp  -m tcp -d 192.168.2.1 --dport 22 -j ACCEPT
    :FORWARD DROP [0:0]
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -m state --state INVALID -j DROP
    -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1461: -j TCPMSS --set-mss 1460
    :wanin - [0:0]
    :wanout - [0:0]
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i vlan1 -j wanin
    -A FORWARD -o vlan1 -j wanout
    -A FORWARD -i br0 -j ACCEPT
    -A wanin  -p tcp -m tcp -d 192.168.2.2 --dport 80 -j ACCEPT
    -A wanin  -p udp -m udp -d 192.168.2.8 -m mport --dports 5060,5061 -j ACCEPT
    -A wanin  -p udp -m udp -d 192.168.2.8 --dport 10000:20000 -j ACCEPT
    COMMIT
    
    And here's my server's iptables:

    Code:
    *filter
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p icmp --icmp-type any -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i ra0 -p tcp -m state --state NEW  --dport 22 -j ACCEPT
    -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 20,22,21,25,53,69,80,111,139,161,443,445,631,636 --syn -j ACCEPT
    -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports 849,875,898,990,2049,8037,9830,32803,51235,56750 --syn -j ACCEPT
    -A INPUT -i eth0 -p udp -m state --state NEW -m multiport --dports 20,21,53,67,69,111,123,137,138,161,631,849,875,989 -j ACCEPT
    -A INPUT -i eth0 -p udp -m state --state NEW -m multiport --dports 990,1812,1813,1900,2049,5353,32769,56750 -j ACCEPT
    -A INPUT -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    
    *mangle
    COMMIT
    
    *nat
    -A POSTROUTING -o ra0 -j MASQUERADE
    COMMIT
    Thank's for helping
     
  2. phuque99

    phuque99 LI Guru Member

    interface ra0 and eth0 different?
     
  3. ACiD GRiM

    ACiD GRiM Addicted to LI Member

    ra0 is connected to the linksys router. eth0 is connected to a Cisco firewall.
     
  4. phuque99

    phuque99 LI Guru Member

    If it works *without* any iptables rule on your server, your next best step is to enable logging on your rules to see what happened.
     
  5. ACiD GRiM

    ACiD GRiM Addicted to LI Member

    Is turning off iptables the same as without any rules? If so I still get a filtered status on 5764 when coming from the WAN. So it seems it something to do with Tomato, maybe?
     
  6. Planiwa

    Planiwa LI Guru Member

    I don't understand what a "server" is.

    Isn't a server simply a process listening on a port?
    Like a P2P peer running on a PC?

    Why not start with a minimalist setup?

    Is the server listening?

    Does it respond from itself?
    Elsewhere on the LAN?
    From the router?

    Why not just start up nc on its host?

    Why not try turning off the firewall?

    Or fire requests at it and monitor iptables counts ...

    Maybe I'm trying to oversimplify again ... :)
     
  7. ACiD GRiM

    ACiD GRiM Addicted to LI Member

    By server, I mean I've got a PC running CentOS that's got a plethora of services running, ssh being one of them. This has just completely stumped me because I had it working at one point, but an uncountable amount of configurations later it isn't working.

    Basically I've got 2 networks, my parents, and mine, which are connected to their own WAN IP. I'm just trying to forward/translate an obscure port on my parents' network to my server's WiFI device, which connects to the Linksys.

    I've never really spent enough time learning about iptables to know how to get a bunch of logs going to see what's getting dropped and where.

    I've done some more testing, and port 22 is open on 192.168.2.2, but port 5764 is filtered on the Linksys's WAN address

    The strange thing is that both UDP and TCP connections to my VOIP device seem to work as expected being either closed or open, but never filtered.

    -thanks for your time!
     
  8. Planiwa

    Planiwa LI Guru Member

    Did you say you tried disabling the server's firewall?
    Or using the default FW rules on the server?
    Or accessing the server from the router, or the LAN?

    Did you try something like:

    Code:
    iptables -nvxL |awk '$1||$2{print}'
    before and after trying to access the server (on a quiescent network!) and looking at the difference(s)?
     
  9. ACiD GRiM

    ACiD GRiM Addicted to LI Member

    I meant I just stopped the iptables service on the CentOS box

    I can get into ssh 22 if I connect my laptop to the Linksys network, but if I try to connect to 5764 (or any other port I've tried) on the WAN ip of the Linksys network, from the Cisco network, it gets filtered. Both Linksys and Cisco have seperate WAN addresses

    before
    Code:
    Chain INPUT (policy ACCEPT 6141 packets, 1113567 bytes)
        pkts      bytes target     prot opt in     out     source               destination         
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
        pkts      bytes target     prot opt in     out     source               destination         
    Chain OUTPUT (policy ACCEPT 6120 packets, 1116095 bytes)
        pkts      bytes target     prot opt in     out     source               destination 
    
    after:
    Code:
    Chain INPUT (policy ACCEPT 6216 packets, 1126767 bytes)
        pkts      bytes target     prot opt in     out     source               destination         
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
        pkts      bytes target     prot opt in     out     source               destination         
    Chain OUTPUT (policy ACCEPT 6192 packets, 1130902 bytes)
        pkts      bytes target     prot opt in     out     source               destination
    
     

Share This Page