fwbuilder: Port forwarding works from outside, but not inside

Question

I'm hoping there's something obvious I've missed here. I have NAT rules set up to forward a few different ports to an internal machine. When a request comes in from the internet, everything works as planned.

However, if I hit my external IP from inside the network with the same port, the request terminates at the firewall machine instead of being forwarded to the right place.

Is there something obvious that I'm doing wrong? The generated iptables rules are below.

# Generated by iptables-save v1.4.4 on Wed Sep  7 20:36:37 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:Cid4488E49C.0 - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -s 10.0.0.11/32 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -m state --state NEW -j ACCEPT 
-A INPUT -s XXX.XXX.XXX.XXX/32 -m state --state NEW -j ACCEPT 
-A INPUT -s 10.0.0.1/32 -m state --state NEW -j ACCEPT 
-A INPUT -p tcp -m tcp -m multiport --dports 5050,22,5900 -m state --state NEW -j ACCEPT 
-A INPUT -p udp -m udp --dport 67 -m state --state NEW -j ACCEPT 
-A INPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT 
-A INPUT -j DROP 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -d 10.0.0.11/32 -p tcp -m tcp --dport 5900 -m state --state NEW -j ACCEPT 
-A FORWARD -d 10.0.0.10/32 -p tcp -m tcp --dport 5050 -m state --state NEW -j ACCEPT 
-A FORWARD -s 10.0.0.0/24 -m state --state NEW -j ACCEPT 
-A FORWARD -j DROP 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -d 10.0.0.11/32 -p tcp -m tcp --sport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -o lo -m state --state NEW -j ACCEPT 
-A OUTPUT -m state --state NEW -j ACCEPT 
-A OUTPUT -p tcp -m tcp -m multiport --dports 5050,22,5900 -m state --state NEW -j Cid4488E49C.0 
-A OUTPUT -p udp -m udp --dport 67 -m state --state NEW -j Cid4488E49C.0 
-A OUTPUT -d 10.0.0.11/32 -p tcp -m tcp --dport 5900 -m state --state NEW -j ACCEPT 
-A OUTPUT -d 10.0.0.10/32 -p tcp -m tcp --dport 5050 -m state --state NEW -j ACCEPT 
-A OUTPUT -s 10.0.0.0/24 -m state --state NEW -j ACCEPT 
-A OUTPUT -j DROP 
-A Cid4488E49C.0 -d XXX.XXX.XXX.XXX/32 -j ACCEPT 
-A Cid4488E49C.0 -d 10.0.0.1/32 -j ACCEPT 
COMMIT
# Completed on Wed Sep  7 20:36:37 2011
# Generated by iptables-save v1.4.4 on Wed Sep  7 20:36:37 2011
*nat
:PREROUTING ACCEPT [114:15633]
:POSTROUTING ACCEPT [1:48]
:OUTPUT ACCEPT [1:48]
-A PREROUTING -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5050 -j DNAT --to-destination 10.0.0.10:5050 
-A PREROUTING -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.11:5900 
-A POSTROUTING -s 10.0.0.0/24 -o eth1 -j MASQUERADE 
-A OUTPUT -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5050 -j DNAT --to-destination 10.0.0.10:5050 
-A OUTPUT -d XXX.XXX.XXX.XXX/32 -p tcp -m tcp --dport 5900 -j DNAT --to-destination 10.0.0.11:5900 
COMMIT
# Completed on Wed Sep  7 20:36:37 2011

[hairpin nat](http://serverfault.com/search?q=%2Bhairpin+%2Bnat). Many people solve the hairpin NAT problem with split horizon DNS. — Zoredache, Sep 08 '11 at 03:45
That is an option, but I'm trying to stay away from it because I know it **could** work. Our previous router (which sucked) was able to do this sort of setup just fine, I just can't figure out how to make fwbuilder/iptables do what I want in this case. — demonbane, Sep 08 '11 at 03:51

score 4 · Accepted Answer · answered Sep 08 '11 at 15:18

If you are connecting to the 10.0.0.10 server from another machine on the 10.0.0.0/24 network there could be a problem with the way packets are routed. For example, if your source is 10.0.0.99 and you connect to 10.0.0.10 via the public IP address, the response packets from the 10.0.0.10 server will be sent directly to 10.0.0.99 which will drop them since it doesn't have a half-open connection with 10.0.0.10 (the half-open connection is with the public IP).

One possible solution is double NAT. Here's an example:

http://www.fwbuilder.org/4.0/docs/users_guide5/double_nat.html

Btw, a better place to get fwbuilder support is from either the fwbuilder mailing list or discussion forum on SF.

http://sourceforge.net/projects/fwbuilder/forums/forum/16372

https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion

score -2 · Answer 2 · edited May 02 '18 at 21:08

-2

If it's open to the world and you can access the server via it's internal IP then I see no problem. If you really want to access it from the external IP internally then I would ask to see a copy of the error log or access log on the NAT. Are you also perhaps behind a proxy or second IP where your quote external endquote iP is different than that of the NAT? Hopefully we can solve this.

edited May 02 '18 at 21:08

4wk_

292
2
14

answered Sep 08 '11 at 03:25

U4iK_HaZe

631
5
13

Well I was perusing this article: http://blog.fwbuilder.org/2011/07/firewall-builder-5-attached-networks.html and thought you may enjoy it too or even find it useful. – U4iK_HaZe Sep 08 '11 at 03:37

fwbuilder: Port forwarding works from outside, but not inside

2 Answers2