Forums

Resolved
0 votes
Hi all,

I have ClearOS installed as a gateway/router for a customer LAN setup.
I've been doing Port Forwarding for a couple of printers connected to the LAN exploiting local ports 9100 or 80/443 for printing and managing purposes.
Here's my IPTABLES -nvL FORWARD rules, all set by the web interface of ClearOS.

[root@ism ~]# iptables -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.3.0.60 tcp dpt:443
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.3.0.60 tcp dpt:9100
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.3.0.128 tcp dpt:80
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.3.0.128 tcp dpt:9100
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.3.0.250 tcp dpt:59005
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.3.0.72 tcp dpt:5900
0 0 ACCEPT tcp -- * eth1 0.0.0.0/0 10.3.0.11 tcp dpt:8080
466 246K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 204 ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0


I just want to add a rule so that the communication to the internal IPs of the printers can be established only from a specific public external IP (say 100.100.100.100).
I've tried to add a simple rule with the incoming firewall which is:

iptables -t filter -I FORWARD -s [PUBLIC LAN IP] -d 10.3.0.60 -p tcp --dport 33333 -j ACCEPT 100.100.100.100

The rule gets accepted by the web interface but nothing works and the rule doesn't even appear in #iptables -nvL FORWARD

I just want the port fw appears as:

    0     0 ACCEPT     tcp  --  *      eth1    100.100.100.100            10.3.0.60           tcp dpt:443
0 0 ACCEPT tcp -- * eth1 100.100.100.100 10.3.0.60 tcp dpt:9100
0 0 ACCEPT tcp -- * eth1 100.100.100.100 10.3.0.128 tcp dpt:80
0 0 ACCEPT tcp -- * eth1 100.100.100.100 10.3.0.128 tcp dpt:9100


Any ideas or suggestions? Thank you in advance for your kind help.
Cercamon
Thursday, January 13 2022, 05:20 PM
Share this post:
Responses (12)
  • Accepted Answer

    Thursday, January 13 2022, 08:06 PM - #Permalink
    Resolved
    0 votes
    A port forward is made up of two rules, a FORWARD rule and, in the nat table a PREROUTING rule. There is a third rule which is not entirely necessary. Try something like:
    $IPTABLES -I FORWARD -i eth1 -s 100.100.100.100 -d 10.3.0.60 -m multiport --dports 443,9100 -j ACCEPT
    $IPTABLES -I FORWARD -i eth1 -s 100.100.100.100 -d 10.3.0.128 -p tcp -m multiport --dports 80,9100 -j ACCEPT
    $IPTABLES -I PREROUTING -d your_WAN_IP -p tcp -m multiport --dports 443,9100 -j DNAT --to-destination 10.3.0.60
    $IPTABLES -I PREROUTING -d your_WAN_IP -p tcp -m multiport --dports 80,9100 -j DNAT --to-destination 10.3.0.128
    I think --to-destination can be shortened to "--to". You need to test the rules at the command line first by using "iptables" instead of "$IPTABLES". If you get an error then the command is slightly wrong.

    There is, however, a fatal flaw in what you are doing. You can't forward the same port (9100) to more than one IP. You can use a different WAN port and switch the port in the PREROUTING rule back to 9100, but you would need to split the PREROUTING rule into two separate rules (drop the "-m multiport" and change --dports to --dport).

    If you want to use the WAN IP from your LAN, you need a third rule.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, January 13 2022, 09:04 PM - #Permalink
    Resolved
    0 votes
    You have not listened about the port 9100.

    If you want to use ClearOS port forwarding, then you will want to insert DROP rules to block the unwanted IPs. If you only want 1 IP it is easy:
    $IPTABLES -I FORWARD -i eth1 ! -s 100.100.100.100 -p tcp  -d 10.3.0.60 -m multiport --dports 443,9100 -j DROP
    $IPTABLES -I FORWARD -i eth1 ! -s 100.100.100.100 -p tcp -d 10.3.0.128 -m multiport --dports 80,9100 -j DROP
    If you have multiple external IP's you have a bigger issue. You will need multiple accept rules and a single DROP rule for everything above it (so it appears last in the iptables listing).

    It you want One external IP to forward to one device and another to the other, they can both use port 9100 but only if you use my original custom rules and not using ClearOS port forwarding.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 14 2022, 09:49 AM - #Permalink
    Resolved
    0 votes
    No. The last rules have a "!" in them which means "not". You can't do a port forward from a single WAN IP simply through the webconfig. You have to use one of the two methods outlined. If you do it all through custom rules, you will need extra lines as you are also port switching and the --to-destination will become something like --to-destination=10.3.0.128 and the "-m multiport --dports 80,9100" gets simplified to "--dport 39133" etc.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 14 2022, 10:51 AM - #Permalink
    Resolved
    0 votes
    Not quite:

    iptables -I FORWARD -i eth1 -s 100.100.100.100 -d 10.3.0.60 -p tcp --dport 9100 -j ACCEPT
    iptables -I FORWARD -i eth1 -s 100.100.100.100 -d 10.3.0.128 -p tcp --dport 9100 -j ACCEPT
    iptables -I PREROUTING -d my_WAN_IP -p tcp --dport 59100 -j DNAT --to-destination 10.3.0.60:9100
    iptables -I PREROUTING -d my_WAN_IP -p tcp --dport 59101 -j DNAT --to-destination 10.3.0.128:9100
    Otherwise it won't switch ports.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 14 2022, 11:04 AM - #Permalink
    Resolved
    0 votes
    Note also to use $IPTABLES in the Custom firewall and not iptables.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 14 2022, 02:05 PM - #Permalink
    Resolved
    0 votes
    Crumbs. You are still on 6.x! That has not been updated for 2 1/2 years. Please use 7.x and $IPTABLES (which, as you note, does not work in 6.x)
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, January 15 2022, 04:54 PM - #Permalink
    Resolved
    0 votes
    The firewall has three main tables, filter, nat and mangle. filter is default and does not need to be specified in any commands the other two do. I could cheat and edit my posts with the correct command, but remember I said try them at the command line first and only apply them if there aren't errors. You've clearly overlooked that bit as the PREROUTING chain is part of the nat table so any command on the PREROUTING chain needs "-t nat" adding to it, including your listing.

    Note that you've been lucky. Getting a custom firewall command wrong **can** put the firewall into a restart loop which is hard to break. Always test Custom Firewall rules first.

    The rules needed are the same in 6 and 7 except for the iptables/$IPTABLES issue.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, January 13 2022, 08:40 PM - #Permalink
    Resolved
    0 votes
    Thank you for your message and hints.
    So far the rules in the first iptables result have worked well. But the source was of course 0.0.0.0/0 and that is "dangerous" because anyone, even randomly can reach those external ports on the WAN IP and cause problems to the printers.

    So I just want to integrate the existent configuration, which works pretty well, with the limit of the source IP, the only one authorized to connect to those port forwarding.

    Thanks.
    David
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, January 13 2022, 10:07 PM - #Permalink
    Resolved
    0 votes
    I am sorry, but from what I understand after reading your messages, I did not explain what my real aim is.

    I've got port forwarding configured as in the picture of my last post. That was configured from the ClearOS web interface and it works pretty fine as it is. External ports on the WAN-IP from 39130 to 39133 are forwarded to 10.3.0.60:443 and 9100 ports and 10.3.0.128:80 and 9100. It all works as expected.

    Now I just want to allow this forwarding chain from a single public IP address instead of the entire Internet (0.0.0.0/0). Your last message seems to go in the opposite direction, i.e. blocking a single IP address by dropping every TCP packet coming from it and that's not my case.

    Of course, I'd be glad to get rid of the rules created by ClearOS and only use custom rules, but I'm not sure I have understood how to do that. I'd like to continue using WAN-IP ports but the only authorized IP must be the one of a remote server that I control. I think I am very close to the solution, but I'm not sure exactly what the remaining steps are.

    Thank you very much for your help.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 14 2022, 10:33 AM - #Permalink
    Resolved
    0 votes
    Thank you.
    Let me check if I get this. Will these rules work for what I intend to do?


    iptables -I FORWARD -i eth1 -s 100.100.100.100 -d 10.3.0.60 -p tcp --dport 9100 -j ACCEPT
    iptables -I FORWARD -i eth1 -s 100.100.100.100 -d 10.3.0.128 -p tcp --dport 9100 -j ACCEPT
    iptables -I PREROUTING -d my_WAN_IP -p tcp --dport 59100 -j DNAT --to-destination 10.3.0.60
    iptables -I PREROUTING -d my_WAN_IP -p tcp --dport 59101 -j DNAT --to-destination 10.3.0.128


    And I'll delete/disable all the rules set from the ClearOS web interface.

    This way traffic directed to my_WAN_IP on the ports 59100 and 59101 will only be accepted if it comes from 100.100.100.100 and will be redirected to ports 9100 of 10.3.0.60 and 10.3.0.128 respectively. Will this work as I need it to?
    The reply is currently minimized Show
  • Accepted Answer

    Friday, January 14 2022, 01:48 PM - #Permalink
    Resolved
    0 votes
    If I use "$IPTABLES" instead of "iptables" (no quotes) the Custom Firewall produces an error ("Command not permitted").
    After confirming the custom commands with "iptables" they get accepted and they show up in my iptables -nvL FORWARD list

    My ClearOS Community version is:
    Version	ClearOS Community release 6.10.0 (Final)
    Kernel Version 2.6.32-754.6.3.v6.x86_64
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, January 15 2022, 01:26 PM - #Permalink
    Resolved
    0 votes
    Yes, that version has been there for more than 5 years - not a single issue. It always worked fine, port forwarding included.
    Do you think that there's a way to make it work with 6.x version? Upgrading to 7.X would be possible but not an easy/fast thing to do.

    The custom firewall rules are getting accepted with "iptables" (not $IPTABLES) but maybe they're wrong somehow.
    After inserting PREROUTING rules, I can't see them with

    #iptables -nvL PREROUTING

    I'm only asking to let port forwarding work from a single IP or public network instead of the entire Internet. (i.e. 100.100.100.100 or 100.100.100.0/24)
    The reply is currently minimized Show
Your Reply