First of all -- the computer I need to do this on is running Mandrake Linux 8.0, although it has all the latest updates as well as kernel 2.4.12. It's also serving as a router (for 192.168.1.x).
I need to forward roughly 2000 ports from one computer to another, and I was wondering, is there any way to do this? I haven't managed to find any Linux program that can do it.
If there's no simple solution, one idea I had is simply to write a script that just uses a "for" loop to issue the proper 2000 iptables commands, but I'm having trouble figuring out how to do that. For example, if I wanted to forward port 40000 incoming on eth0 to port 80 on 192.168.1.2, I think I should do:
However, this is only kinda-sorta working. I've got a port monitor running on 192.168.1.2:80 -- whenever I try connecting directly to that computer through a web browser, it sends all the appropriate header info, but if I try connecting to this IP at port 40000, the monitor just reports the repeated opening and closing of connections...?
Anyways, I'm stumped. Any help at all would be greatly appreciated.
jumpedintothefire
11-05-2001, 08:21 PM
Are you testing from the lan or the internet?
Yosho
11-05-2001, 08:54 PM
I've tried both, and both give the same results. I just set up a quick example -- if you try to go to http://129.118.173.195/, it should load the page successfully, but if you try http://129.118.173.196:40000 (http://129.118.173.196:40000/), it just sits there doing nothing, although I use the above commands to forward 129.118.173.196:40000 to 129.118.173.195:80.
One program I've found that I really like for forwarding ports is at http://portfwd.sourceforge.net/. I can get it working fine -- for example, if you try to go to http://129.118.173.196:27015, it should redirect you to 129.118.173.196:80 perfectly. Unfortunately, this program can't handle more than 256 ports. :-(
By the way, if you're wondering exactly what I'm doing this for (since I obviously have more than one IP ;-) -- I've got a Dreamcast (you know, the game console) that I'm trying to set up on the internet. I don't have a broadband adapter unit for it, though, so I've got a direct PPP connection set up between it and a modem on .173.196. However, for some reason it won't grab a real IP, so I set up .173.196 as a router just for the Dreamcast and gave it a private IP. It will connect and browse the 'net fine, but I have a game that requires ports 40000 through 41999. :-(
jumpedintothefire
11-05-2001, 09:42 PM
Why not just set the linux box at 195 to be a
dial in server? You can set up pppd, then use the linux's ip as the local port 129.118.173.195 (from the server's view) and 129.118.173.196 as the remote end. just like an isp.
Make sure your /etc/ppp/options file has proxyarp in it either way you go or the ppp link will not be able to talk to any thing but the server.
196 is a second box right now?
Yosho
11-05-2001, 10:34 PM
Well, that's essentially what I'm doing -- 195 and 196 are both computers. I have the Dreamcast's modem plugged directly into 196, and 196 is acting as a PPP server. However, for some reason it seems like I can't assign a real IP to the Dreamcast -- it always treats it as if it's a private IP. Since the game I'm trying to play requires those 2000 ports, I need to be able to forward them from 196 to the Dreamcast (it's 192.168.1.2 at the moment, but the IP is really arbitrary)
jumpedintothefire
11-05-2001, 11:30 PM
-----
However, for some reason it seems like I can't assign a real IP to the Dreamcast always treats it as if it's a private IP.
-----
This is weird, how would you dial into a real
isp?
How many ip(s) do you have to play with?
Could you post (or email me) the ppp config 1) that you were trying? 2) and are using now?
Help me out here,(I'm a still going uphill, but I can see the peak!!) what tools does dreamcast have to test with?
-----
I have the Dreamcast's modem plugged directly into 196, and 196 is acting as a PPP server
-----
null-modem cable or through the phone line?
What does ifconfig say when your dialed in?
Sounds like your just missing a little something in the config to get the dreamcast a public ip using 195 as the dialin server.
By using 195 as the dialin server, you should be able to give the dreamcast 196, without using a second box. Then the portforwarding is not required, just a litle routing, and some quick rules to do the forwarding to/from
the ppp interface.
Yosho
11-06-2001, 12:24 AM
-----
This is weird, how would you dial into a real
isp?
-----
With the Dreamcast, you mean? Well, in the options screen you can specify a login name/password, phone number, two DNS servers, the modem init string, and if you need to use a proxy server. (There are also a number of options you'd expect such as the call waiting prefix, wait for dialtone, etc.) You just have to fill out those fields and click the connect button, and it works fine.
-----
How many ip(s) do you have to play with?
-----
I can use just about any used IP in the 129.118.x.x netblock -- you see, I live in a dorm room at Texas Tech University, and they own that netblock. Their network security is *really* lax, though. ;-) (seriously -- I got fed up with how often their DHCP servers were down, so I set up my own -- it's on 196 -- and most of my dorm hall is already on it. I've tried contacting the admins and didn't get a response, so I assume they don't care...)
-----
Could you post (or email me) the ppp config 1) that you were trying? 2) and are using now?
-----
First, I should probably say that I'm using the Bastille firewall scripts for handling the routing and gateway stuff. It's set to do NAT for 192.168.1.0/255.255.255.0 -- previosly that was 129.118.173.0/255.255.255.0. I don't know too much about routers and such stuff, so I could easily be making a stupid error in that area.
(Those are TTU's DNS servers, by the way)
/etc/ppp/options.ttyS2 is:
129.118.173.196:192.168.1.2
And /etc/ppp/pap-secrets has the line:
dreamcast * (password obscured) 192.168.1.2
-----
Help me out here,(I'm a still going uphill, but I can see the peak!!) what tools does dreamcast have to test with?
-----
Unfortunately, one thing that's making it a challenge is that is has almost none. ;-) So I've been using 195 to test port forwarding out, and the Dreamcast has a built-in web browser, so I can use it to access web sites and then read the logs (assuming I can gain access to the logs of said web site).
-----
null-modem cable or through the phone line?
-----
I'm not really familiar with the term "null-modem cable" -- I've got a plain old RJ-11 cable running straight from the DC modem to the line-in on the PC modem. If it helps any, when I was doing all this, I was following instructions at the site http://www.kinox.org/articles/linuxdc.html. The guy has kernel 2.0.38, though, so you might have to fudge around with some things. In particular, the link there entitled "Gentry Information Distribution" was a big help.
-----
What does ifconfig say when your dialed in?
-----
eth0 Link encap:Ethernet HWaddr 00:40:F4:15:07:36
inet addr:129.118.173.196 Bcast:129.118.173.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MTU:1500 Metric:1
RX packets:1627371 errors:0 dropped:0 overruns:0 frame:0
TX packets:1157214 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:244198375 (232.8 Mb) TX bytes:255326152 (243.4 Mb)
Interrupt:11 Base address:0xc000
Hopefully all that stuff will help you out a bit -- I don't have much time to experiment around tonight, gotta go work on homework and all that.
Yosho
11-06-2001, 12:33 AM
Whoops, I forgot to mention -- the subnet mask on 196 should theoretically be 255.255.0.0. However, just to make sure that it doesn't lose its IP, I have it still grabbing one from TTU's DHCP server -- and their server sets the subnet mask to 255.255.255.0. I've tried setting it manually to 255.255.0.0, but that causes lots of stuff to stop working right. I could just manually set the IP and such, but then I'd risk losing my IP lease (the Tech DHCP server set leases to expire every hour), and somebody else might grab .173.196.
jumpedintothefire
11-06-2001, 12:41 AM
this won't take much time.
Since you have a bunch of ips, lets try this on the dialin box:
129.118.173.196:192.168.1.2
change to
129.118.173.196:129.118.173.(197)
(use any one that is available)
and this
dreamcast * (password obscured)
129.118.173.(197)
(note the live ip needs to match the one above)
Let see what ifconfig gives you now?
can you ping (197) from the 195 box?
[ 05 November 2001: Message edited by: jumpedintothefire ]
jumpedintothefire
11-06-2001, 12:55 AM
The modem to modem is a new one on me, :o
thanks for the link ;)
null modem is a serial cable between 2 computers with some wires crossed to fake a modem as far as the computers are concerned.
much like a RJ45 crossover cable
Yosho
11-06-2001, 01:06 AM
Eeek -- I was about to try that, but it doesn't seem to like it. I assume that in Bastille, I'd need to change the NAT'd network from 192.168.1.0/255.255.255.0 to 129.118.173.0/255.255.255.0, right? I did that, but after that, suddenly 196 started ignoring all incoming connections -- I couldn't connect through HTTP, SSH, whatever. I had to log in manually to fix it (195 is my workstation, I run all my server stuff on 196). Is there another way of setting up a gateway than through NAT like that..?
And you're welcome for the link -- it's new to me, too, but I think it's pretty cool. ;-)
jumpedintothefire
11-06-2001, 01:28 AM
----
I'd need to change the NAT'd network from
192.168.1.0/255.255.255.0 to 129.118.173.0/255.255.255.0, right?
----
No your not doing NAT for the ppp link, just straight routing and forwarding, like for a public DMZ. One step at a time. Get the ppp link using the public ip (197) first. Then worry about the rules to allow traffic. Are you doing anything major with 195? Maybe play with 195 as not to mess up your server. Did you get an ifconfig?
Yosho
11-06-2001, 01:40 AM
Oh, I live for messing up my server. ;-) In any case, I changed those, and it's successfully connected. I gave it 193, by the way. ifconfig now looks like:
When the Dreamcast first connects, normally it goes to its homepage; however, it gave an error that it could not look up the host name. When I try to access the web server at 196 (the computer it's connected to) via the IP, it works fine, but I can't access any other IPs. Likewise, I can ping 193 from 196, but if I try to ping it from 195, it says "Destionation Host Unreachable."
Just judging by that, I'd guess now I need to figure out how to route ppp0 to eth0... I've never done flat-out routing like this before, just NAT, so I guess I better go look up some help documents.
jumpedintothefire
11-06-2001, 02:09 AM
Well your half way there.
I'm still working through some of the finer details of iptables, the syntax maybe wrong but the idea is correct.
#Incoming request from internet
iptables -A FORWARD -i eth0 -s 0/0 -d 129.118.173.193 -j ACCEPT
iptables -A FORWARD -o eth0 -s 0/0 -d 129.118.173.193 -j ACCEPT
#Outgoing response to internet
iptables -A FORWARD -i etho -s 129.118.173.193 -d 0/0 -j ACCEPT
iptables -A FORWARD -o eth0 -s 129.118.173.193 -d 0/0 -j ACCEPT
#Incoming request from dreamcast
iptables -A FORWARD -i ppp0 -d 0/0 -s 129.118.173.193 -j ACCEPT
iptables -A FORWARD -o ppp0 -d 0/0 -s 129.118.173.193 -j ACCEPT
#Outgoing response to dreamcast
iptables -A FORWARD -i ppp0 -d 129.118.173.193 -s 0/0 -j ACCEPT
iptables -A FORWARD -o ppp0 -d 129.118.173.193 -s 0/0 -j ACCEPT
Let me know how you make out.
Yosho
11-06-2001, 02:34 AM
Hmmm... Getting closer! I ran your script, now when I try pinging 193 from 195, I get "From gd395.dhcp.ttu.edu (129.118.173.196): Destination Port Unreachable" (remember that previously it said host unreachable, and now it also appears to be routing through 196) (By the way, in the third line of your script, you have etho rather than eth0 ;-)
When I try accessing any other IPs from the Dreamcast, it still can't connect to anything other than 196. And apparently you know a lot more about iptables than I do, so I'm kinda stabbing in the dark... Just for the heck of it I tried changing ppp0's subnet mask from 255.255.255.255 to 255.255.255.0, but then connections from and to it just always resulted in timeouts.
Also, I may go to bed soon, so if you reply and I don't answer soon, I'll be back in the morning. ;-)
jumpedintothefire
11-06-2001, 03:00 AM
**** I knew I forgot something
route add -host 129.118.173.193 gw 129.118.173.196 dev ppp0
[ 06 November 2001: Message edited by: jumpedintothefire ]
Yosho
11-06-2001, 03:22 AM
Well, you managed to catch me just as I was about to go to sleep -- I tried that, but nothing behaved differently. Here's the output of route -n, by the way:
Destination Gateway Genmask Flags Metric Ref Use Iface
255.255.255.255 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
129.118.173.193 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
129.118.173.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 129.118.173.254 0.0.0.0 UG 0 0 0 eth0
I hope that didn't get too messed up in the copy/paste...
Also, just out of curiousity -- would the iptables commands or route need to be re-run every time the connection goes up or down, or does it matter what order they're run in? (I did notice that I can only do route while it's connected, otherwise it says ppp0 doesn't exist)
jumpedintothefire
11-06-2001, 02:07 PM
Ok so forget the route command, it was late and I didn't have my head together, proxyarp should take care of that (banging head on wall). In hind sight 0/0 should not work, that worked for chains to state anyIP/anyPORT, can't do that now....
When your dialed in can you do a arp -na
you should seen something like:
? (xxx.xxx.xxx.xxx) at * PERM PUP on eth0
That says the proxyarp is installed of the ip
(xxx) on eth0, this is good.
Lets take any rules that may cause some interfence out of the way, lets use I instead of A, and drop the 0/0. This will load them ahead of any rules already loaded.
The paackets might match a MASQ rule before a FORWARD rule. so load this up.
iptables -I FORWARD -i eth0 -d 129.118.173.193 -j ACCEPT
iptables -I FORWARD -o eth0 -d 129.118.173.193 -j ACCEPT
#Outgoing response to internet
iptables -I FORWARD -i eth0 -s 129.118.173.193 -j ACCEPT
iptables -I FORWARD -o eth0 -s 129.118.173.193 -j ACCEPT
The Table rules don't need to be rerun, just a route statement if you need one. Your almost there.
Anybody else have any other iptable gotchas, hints, links that may be helpful?
Yosho
11-06-2001, 06:39 PM
YEAH! It's working perfectly now. In fact, I'm posting with it right now. ;-) Thanks for all your help, this has definitely been a learning experience.
It's a little strange, though, having broadband-like pings with 33.6k of bandwidth... ;-)
jumpedintothefire
11-06-2001, 09:03 PM
Back to the orginal problem.......
------From NAT how-to--------------
Destination NAT is specified using `-j DNAT', and the `--to-destination' option specifies an IP address, a range of IP addresses, and an optional port or !!!!>range of ports<!!!!!
(for UDP and TCP protocols only).
------------------------------------