IPTables + Portsentry= Headache...


Results 1 to 6 of 6

Thread: IPTables + Portsentry= Headache...

  1. #1
    Join Date
    Aug 2000
    Location
    Dallas, TX
    Posts
    38

    IPTables + Portsentry= Headache...

    Hey ppl's,
    I was hoping someone here could help with a networking issue I am having...
    This is sort of related to an earlier post: http://www.linuxnewbie.org/cgi-bin/u...&f=13&t=004918
    Here's the skinny...
    I start the machine (the gateway), and lay down the IPTables' chains (see above link).
    Then I start Portsentry (it doesn't matter if I use -tcp & -udp, or -atcp & -audp, or -stcp & -sudp). After a period of time (it varies between a few minutes, and a few hours), I lose any connection from my internal network, and I also get booted if using ssh from an outside connection. I have narrowed it down to portsentry (unfortunately) as the culprit. Maybe it is my configuration, but I really don't know.
    The strange thing is, that (internally) I lose any ability to connect to a www, or ftp site, but yet I can still ping from the internal network. Also, if I try to ssh from work (with portsentry running), it will eventually die. I try to ping the address and I get no response, yet the machine is still connected ( I know this cuz my wife and I work on this over the phone (how primitive)). I really don't know what to do next, except not use portsentry. I am (after posting this) going to re-read the portsentry HOWTO, to maybe gain a little insight.
    _________________________________________
    <UNRELATED TOPIC>
    Anyone know of any good software to have on a gateway (I know, it should be a firewall, but without any good security software, it's only just a gateway... )
    </UNRELATED TOPIC>
    _________________________________________
    Thanks in advance,
    Dr. Strangelove
    Your mama is so fat that all your base belong to her!

  2. #2
    Join Date
    Aug 2000
    Location
    Dallas, TX
    Posts
    38
    After much trial and error, I think my previous post was wrong. I don't think it's portsentry causing me grief.
    I experienced the same problem after running iptables WITHOUT portsentry running.
    I then restarted iptables with these two lines commented out:
    #This should forward the http ports (80)...hopefully
    #/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.0.5

    #This should forward the ftp ports (21)...hopefully
    #/sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 192.168.0.5

    Then I ran portsentry. Now with all this in mind, I have had no problems with the network in about 24 hrs.
    With those two lines in there (this is purely speculation) I have problems masquerading. I really don't know what to do. I usually run both lines at once, I am going to see if I can forward port 21 first. If after that I cannot load ftp sites, I know where the problem lies.
    Any help you could give would be...well, helpful. Is the syntax wrong (I don't think so, cuz it will forward the ports)?
    Thanks in advance...
    Dr. Strangelove.
    Your mama is so fat that all your base belong to her!

  3. #3
    Join Date
    Aug 2000
    Location
    Dallas, TX
    Posts
    38
    I just tested it...
    I forwarded port 21 to an internal machine. Now that internal machine can't access ftp sites...

    That is strange...


    It seems that I cannot access any ftp site from any machine behind the gateway.
    any suggestions?
    Thanks,
    Dr. Strangelove
    Your mama is so fat that all your base belong to her!

  4. #4
    Join Date
    Jun 2000
    Location
    Sacramento, CA, USA
    Posts
    42
    You may want to give gShield (http://muse.linuxmafia.org/gshield.html) a try. It's a firewall that has support for NAT and is configured via a well documented shell script. I have two boxes(RH 6.2 and win9x) behind the firewall(RH 7.1) and I haven't had any issues with getting outside. I just use the firewall as the gateway.

    Speck

  5. #5
    Join Date
    Aug 2015
    Posts
    2
    Well this is a very old thread but there is a solution for others.
    The iptables rules you are using or have used:
    #/sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.0.5
    #/sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to 192.168.0.5
    Are doing nat of every connection what so ever that tries to connect to either WEB or FTP.
    The basic way port forwarding should be handled is by either restricting it to an input interface or destination IP.
    In this example you can use it with WAN interface eth0
    #/sbin/iptables -t nat -A PREROUTING -i eth0 -m state --state NEW -p tcp --dport 80 -j DNAT --to 192.168.0.5
    #/sbin/iptables -t nat -A PREROUTING -i eth0 -m state --state NEW -p tcp -p tcp --dport 21 -j DNAT --to 192.168.0.5
    In many cases you would need more then just port 21 for FTP so take this in mind.

  6. #6
    Join Date
    Aug 2015
    Posts
    2
    Quote Originally Posted by elico View Post
    #/sbin/iptables -t nat -A PREROUTING -i eth0 -m state --state NEW -p tcp --dport 80 -j DNAT --to 192.168.0.5
    #/sbin/iptables -t nat -A PREROUTING -i eth0 -m state --state NEW -p tcp -p tcp --dport 21 -j DNAT --to 192.168.0.5
    Was a typo and should be"
    #/sbin/iptables -t nat -A PREROUTING -i eth0 -m state --state NEW -p tcp --dport 80 -j DNAT --to 192.168.0.5
    #/sbin/iptables -t nat -A PREROUTING -i eth0 -m state --state NEW -p tcp --dport 21 -j DNAT --to 192.168.0.5

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •