iptables rules forweb server

Hi,
i have a small problem with my network configuration.
my router is connected to the internet over DSL via one nic and has a second
nic for my internal net.
I'm running a web server on my router. On my web server i have a site with a
java applet, this applet
wants to open a socket on port 9050 on my router. This port is forwarded to
an internal host.

Now if i call the web site from my internal network the applet can open the
socket, but if i call the
applet from outsite, from the internet, i get a " ...... 9050 connection
timed out: connect".

Maybe my iptables script is missing a rule to allow opening this socket?

#!/bin/sh

echo "1" > /proc/sys/net/ipv4/ip_forward # Initialisierung des Forwardings

# Flushen, Löschen, Neuerstellung - nicht vergessen im Script! #
################################################## ##############
iptables -F
iptables -F -t nat

iptables -F sperre
iptables -X sperre
iptables -N sperre
iptables -F sperre

# first contact #
#################
iptables -A sperre -i eth1 -s ! 192.168.1.0/255.255.255.0 -j DROP
iptables -A sperre -i eth1 -j ACCEPT
iptables -A sperre -i lo -s 127.0.0.1/255.0.0.0 -j ACCEPT
iptables -A sperre -i ppp0 -s 192.168.0.0/255.255.255.0 -j DROP

# acceptstuff #
###############
iptables -A sperre -p tcp --dport 80 -j ACCEPT
iptables -A sperre -p tcp --dport 9050 -j ACCEPT


# Antworten zulassen #
######################
iptables -A sperre -m state --state ESTABLISHED,RELATED -j ACCEPT

# Alles andere abweisen (RFC-konform) #
iptables -A sperre -p tcp -j REJECT --reject-with tcp-reset
iptables -A sperre -p udp -j REJECT --reject-with icmp-port-unreachable

# sperre aktivieren #
#####################
iptables -A INPUT -j sperre
iptables -A FORWARD -j sperre
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -P OUTPUT ACCEPT
iptables -t nat -P OUTPUT ACCEPT

# NAT #
#######
iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE # was rausgeht wird
maskiert

iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 9050 -j
DNAT --to-destination 192.168.1.2
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 9050 -j
DNAT --to-destination 192.168.1.2

iptables -A POSTROUTING -t nat -o eth1 --j SNAT --to-source 192.168.1.1
################################################## ###############

Thank you for your help. Regards, henrik

Henrik Feidner wrote:
> Hi,
> i have a small problem with my network configuration.
> my router is connected to the internet over DSL via one nic and has a second
> nic for my internal net.
> I'm running a web server on my router. On my web server i have a site with a
> java applet, this applet
> wants to open a socket on port 9050 on my router. This port is forwarded to
> an internal host.

It wants to open a /connection/ to a socket on port 9050, I presume ?
The fact that it is properly forwarded to an internal machine makes it a
socket, i.e. something that can accept incoming connections.

> Now if i call the web site from my internal network the applet can open the
> socket, but if i call the
> applet from outsite, from the internet, i get a " ...... 9050 connection
> timed out: connect".

How does the java applet know which IP address to use ?

> Maybe my iptables script is missing a rule to allow opening this socket?

No clue, but this is an English newsgroup - please post an English
iptables script.. iptables is hard enough to read in English !


J.

Hi Jeroen,

thank you for your answer,

> "Jeroen Geilman" <(E-Mail Removed)> wrote in message

> > Henrik Feidner wrote:
> > Hi,
> > i have a small problem with my network configuration.
> > my router is connected to the internet over DSL via one nic and has a
> > second nic for my internal net.
> > I'm running a web server on my router. On my web server i have a site
> > with a java applet, this applet
> > wants to open a socket on port 9050 on my router. This port is forwarded
> > to an internal host.
>
> It wants to open a /connection/ to a socket on port 9050, I presume ?
> The fact that it is properly forwarded to an internal machine makes it a
> socket, i.e. something that can accept incoming connections.
>
Yes, the applet wants to open a connection to a socket on port 9050.
And yes, there is a webcam connected at my internal host on port 9050. So I
forwarded
the port 9050 of my router to my internal host.

> > Now if i call the web site from my internal network the applet can open
> > the socket, but if i call the
> > applet from outsite, from the internet, i get a " ...... 9050 connection
> > timed out: connect".
>
> How does the java applet know which IP address to use ?

I give the IP address over a parameter, it's the internet IP address at the
device ppp0.

>
> > Maybe my iptables script is missing a rule to allow opening this socket?
>
> No clue, but this is an English newsgroup - please post an English
> iptables script.. iptables is hard enough to read in English !
>
sorry for posting stuff in german, I translated the comments to english.

#!/bin/sh

echo "1" > /proc/sys/net/ipv4/ip_forward # initialize forwardings

# flush, delete, creation
################################################## ##############
iptables -F
iptables -F -t nat

iptables -F mychain
iptables -X mychain
iptables -N mychain
iptables -F mychain

# first contact #
#################

# throw everything away from the lan which has not my ip addresses
iptables -A mychain -i eth1 -s ! 192.168.1.0/255.255.255.0 -j DROP

# otherwise accept everything else from the lan
iptables -A mychain -i eth1 -j ACCEPT

# for Loopback everything is allowed
iptables -A mychain -i lo -s 127.0.0.1/255.0.0.0 -j ACCEPT

# throw everything away from the internet with my ip addresses
iptables -A mychain -i ppp0 -s 192.168.0.0/255.255.255.0 -j DROP

# accept stuff #
###############
iptables -A mychain -p tcp --dport 9050 -j ACCEPT # accept connection on
port 9050

# answers allowed #
######################
iptables -A mychain -m state --state ESTABLISHED,RELATED -j ACCEPT

# everything else reject (RFC-conform) #
#######################################
iptables -A mychain -p tcp -j REJECT --reject-with tcp-reset
iptables -A mychain -p udp -j REJECT --reject-with icmp-port-unreachable

# activate mychain #
#####################
#iptables -A INPUT -j mychain
#iptables -A FORWARD -j mychain
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -P OUTPUT ACCEPT # accept always output
iptables -t nat -P OUTPUT ACCEPT

# NAT #
#######
# everything going is will be masqueraded
iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE

# forward connection to device eth0 on port 9050 to internal host
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 9050 -j
DNAT --to-destination 192.168.1.2

# forward connection to device ppp0 on port 9050 to internal host
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 9050 -j
DNAT --to-destination 192.168.1.2

iptables -A POSTROUTING -t nat -o eth1 --j SNAT --to-source 192.168.1.1
iptables -A POSTROUTING -t nat -o ppp0 --j SNAT --to-source 192.168.1.1

echo "Firewall started"
>
> J.

Henrik Feidner wrote:

> sorry for posting stuff in german, I translated the comments to english.

Very well.. let's have at them !

>
> #!/bin/sh
>
> echo "1" > /proc/sys/net/ipv4/ip_forward # initialize forwardings
>
> # flush, delete, creation
> ################################################## ##############
> iptables -F
> iptables -F -t nat
>
> iptables -F mychain
> iptables -X mychain
> iptables -N mychain
> iptables -F mychain
>
> # first contact #
> #################
>
> # throw everything away from the lan which has not my ip addresses
> iptables -A mychain -i eth1 -s ! 192.168.1.0/255.255.255.0 -j DROP
>
> # otherwise accept everything else from the lan
> iptables -A mychain -i eth1 -j ACCEPT
>
> # for Loopback everything is allowed
> iptables -A mychain -i lo -s 127.0.0.1/255.0.0.0 -j ACCEPT
>
> # throw everything away from the internet with my ip addresses
> iptables -A mychain -i ppp0 -s 192.168.0.0/255.255.255.0 -j DROP
>
> # accept stuff #
> ###############
> iptables -A mychain -p tcp --dport 9050 -j ACCEPT # accept connection on
> port 9050

This is quite ambiguous: unless you know in advance exactly how the
mychain chain is called, you may be ACCEPTing traffic that should be
processed further, which it never will: ACCEPT == stop processing.
Furthermore, it's only a connection in the INPUT chain.
In the FORWARD chain it would be allowing a routing choice - which you
probably don't want.
Filter where you should - on the INPUT chain.

> # answers allowed #
> ######################
> iptables -A mychain -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # everything else reject (RFC-conform) #
> #######################################
> iptables -A mychain -p tcp -j REJECT --reject-with tcp-reset
> iptables -A mychain -p udp -j REJECT --reject-with icmp-port-unreachable
>
> # activate mychain #
> #####################
> #iptables -A INPUT -j mychain
> #iptables -A FORWARD -j mychain

These are not actually executed - they're commented out.
Assuming you are aware of this: I would never use one custom chain to
catch both forwarding and incoming traffic, since they are too different.
Consider using at least 2: my_input and my_forward.
This allows you to separate rules that have nothing to do with one
another, and prevents every packet from having to go through all the
rules in what are essentially two rulesets rolled into one.
Needless overhead ensues.

> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT

You're turning the Big Red Security switch to the "OFF" position.
Don't. Do. This.

> iptables -P OUTPUT ACCEPT # accept always output
> iptables -t nat -P OUTPUT ACCEPT
>
> # NAT #
> #######
> # everything going is will be masqueraded
> iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE

Pretty basic, okay.

> # forward connection to device eth0 on port 9050 to internal host
> iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 9050 -j
> DNAT --to-destination 192.168.1.2

Yeahh-h.. except that this is eth1, not eth0.
*One* of these is your incoming DSL /PPPoA line, and you do. not. want
to firewall that.

> # forward connection to device ppp0 on port 9050 to internal host
> iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 9050 -j
> DNAT --to-destination 192.168.1.2

And *this* is the one thing you say is not working ?
What does a tcpdump on the ppp0 interface show ?

> iptables -A POSTROUTING -t nat -o eth1 --j SNAT --to-source 192.168.1.1
> iptables -A POSTROUTING -t nat -o ppp0 --j SNAT --to-source 192.168.1.1

.... these completely obviate the MASQUERADE rule earlier - why ?


J.