You are not logged in.

#1 2022-04-11 13:02:53

eom.dev
Member
Registered: 2022-02-11
Posts: 57

iptables port forwarding

I have a virtual machine that serves as a NAT router between two networks.  I want to use iptables on this router to port forward incoming ssh requests to another machine.  Here is my iptables.rules:

# Generated by iptables-save v1.8.7 on Mon Apr 11 12:36:27 2022
*nat
:PREROUTING ACCEPT [1:60]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i tp-a86608e02f4d -p tcp -m tcp --dport 2222 -j DNAT --to-destination 10.1.0.1:22
-A POSTROUTING -o tp-a86608e02f4d -j MASQUERADE
COMMIT
# Completed on Mon Apr 11 12:36:27 2022
# Generated by iptables-save v1.8.7 on Mon Apr 11 12:36:27 2022
*filter
:INPUT ACCEPT [129:11561]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [93:12769]
-A INPUT -p ipv6-icmp -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tp-09b31f56d003 -o tp-a86608e02f4d -j ACCEPT
-A FORWARD -p ipv6-icmp -j ACCEPT
-A FORWARD -d 10.1.0.1/8 -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p ipv6-icmp -j ACCEPT
COMMIT
# Completed on Mon Apr 11 12:36:27 202

Masquerading works as expected, but the port forwarding does not.  When I ssh the router's IP address on port 2222, I get a connection timeout.  I am thinking that the problem may be caused by combining port forwarding with NAT, but this works on most routers and iptables is not providing any useful logs.

Last edited by eom.dev (2022-04-11 13:05:32)

Offline

#2 2022-04-11 14:50:20

-thc
Member
Registered: 2017-03-15
Posts: 486

Re: iptables port forwarding

It looks O.K. - only this destination

-d 10.1.0.1/8

looks a little weird - either specify 10.0.0.0/8 (for 10.x) or 10.1.0.1/32 (for this host only).

What I would do: First zero all counters (iptables -Z), initiate a SSH connection and look at both counter columns

iptables -vnL
iptables -vnL -t nat

to verify that the DNAT and forward rule work.

Second look for incoming SSH packets on the target machine (iptables rule, sshd Loglevel etc.)

Third: If the SSH packet arrives with the NAT VMs IP as source, does the SSH target machine correctly route them back?

Offline

#3 2022-04-11 16:10:51

eom.dev
Member
Registered: 2022-02-11
Posts: 57

Re: iptables port forwarding

-thc wrote:

It looks O.K. - only this destination

-d 10.1.0.1/8

looks a little weird - either specify 10.0.0.0/8 (for 10.x) or 10.1.0.1/32 (for this host only).

I think this is where the problem exists.  The destination host is the network hypervisor, which has a /8 subnet mask that can address all virtual machines on the network.  I want all incoming traffic to go through the router, but iptables seems to be struggling here.  With the configuration posted, the output from your suggested command was:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  tp-09b31f56d003 tp-a86608e02f4d  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmpv6--  *      *       0.0.0.0/0            0.0.0.0/0           
    6 384 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.0.0.0             tcp dpt:22 state NEW,RELATED,ESTABLISHED

so the /8 subnet in the rules seems to be setting the destination to 10.0.0.0; however, if I change the subnet as you suggested, the rule output works out but the address doesn't refer to the correct machine:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  tp-09b31f56d003 tp-a86608e02f4d  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmpv6--  *      *       0.0.0.0/0            0.0.0.0/0           
    6 384 ACCEPT     tcp  --  *      *       0.0.0.0/0            10.1.0.1             tcp dpt:22 state NEW,RELATED,ESTABLISHED

I suppose the easiest test/solution is to just give the hypervisor an additional ip on the /32 subnet...

In addition, the hypervisor currently has its default route set to my home router for internet connection.  I'm wondering if this is causing the timeout: router responds to client and connects to hypervisor, but hypervisor routes back over the default gateway?  I don't really want to change this (at least yet) since the router is not functioning properly...  I feel like that could lock me out.

Last edited by eom.dev (2022-04-11 16:28:29)

Offline

#4 2022-04-11 16:32:16

-thc
Member
Registered: 2017-03-15
Posts: 486

Re: iptables port forwarding

eom.dev wrote:

so the /8 subnet in the rules seems to be setting the destination to 10.0.0.0;

Yes. BTW - iptables is lenient here - other software will complain that 10.1.0.1/8 makes no sense...

eom.dev wrote:

however, if I change the subnet as you suggested, the rule output works out but the address doesn't refer to the correct machine:

Why? Your DNAT rule

A PREROUTING -i tp-a86608e02f4d -p tcp -m tcp --dport 2222 -j DNAT --to-destination 10.1.0.1:22

targets exactly this host.

eom.dev wrote:

I suppose the easiest test/solution is to just give the hypervisor an additional ip on the /32 subnet...

An IPv4 address is 32 bits long - so a mask of "/32" is not a subnet, but this address (10.1.0.1) only.

eom.dev wrote:

In addition, the hypervisor currently has its default route set to my home router for internet connection.  I'm wondering if this is causing the timeout: router responds to client and connects to hypervisor, but hypervisor routes back over the default gateway?  I don't really want to change this (at least yet) since the router is not functioning properly...  I feel like that could lock me out.

Yes - this is the cause.

Last edited by -thc (2022-04-11 16:33:40)

Offline

Board footer

Powered by FluxBB