DNAT Query

DNAT Query

[Pavan Gokarn]

[-- Attachment #1: Type: text/plain, Size: 1048 bytes --]

Hello,
    I am a system administrator new to IPTables, well pretty new. I have an issue with DNAT. my DNAT does not work internally. let me give you the configuration. I have a Firewall with 2 plumbed interface on the same card. eth0=172.16.19.231 and eth0:a=10.1.1.25. i have enabled ip_forward. now when i try to access a 10.0.0.0/8 ip address from 172.16.19.0/24 (http) using DNAT on the firewall NATBox it does not work. can you please give me a solution. the commands i issued are.
# iptables -t nat -A PREROUTING -d 172.16.19.152 -p tcp --dport 8080 -j DNAT --to 10.1.1.33:8080

#iptables -t nat -A POSTROUTING -d 10.1.1.33 -p tcp --dport 80 -j SNAT 10.1.1.25

(DNAT in the same network is working though)

can some one please help me with this. also i am writing a gui solution using 'C' as a frontend to iptables tool. Making it much easier for users to configure their firewall quickly. can someone give me the full description of NETFILTER/IPTables extentions and options (manpages is not enough)

Thanx a ton
Regards
Pavan

[-- Attachment #2: Type: text/html, Size: 1786 bytes --]

DNAT query

[Payal Rathod]

Hi,
I am trying to redirect trafffic from outside to an internal machine.  
The setup is SuSE Linux 9.1 (i586) 2.6.4-52-default
# iptables --version
iptables v1.2.9

When I give,
# iptables -t nat -I OUTPUT -d dyn.example.com -p tcp --dport 8000 -j DNAT --to-destination 192.168.10.2:8000
iptables: Target problem

What exactly is wrong? If I try it on my Mandrake box it works. Any 
ideas?
Thanks in advance.
With warm regards,
-Payal

Re: DNAT query

[Rob Sterenborg]

On Fri, November 11, 2005 11:30, Payal Rathod wrote:
> Hi,
> I am trying to redirect trafffic from outside to an internal machine.
> The setup is SuSE Linux 9.1 (i586) 2.6.4-52-default
> # iptables --version
> iptables v1.2.9
>
> When I give,
> # iptables -t nat -I OUTPUT -d dyn.example.com -p tcp --dport 8000 -j
> DNAT --to-destination 192.168.10.2:8000
> iptables: Target problem
>
> What exactly is wrong? If I try it on my Mandrake box it works. Any
> ideas?

Can't say that I've had any problems with this. Try:

iptables -t nat -I PREROUTING -d dyn.example.com -p tcp --dport 8000 \
  -j DNAT --to-destination 192.168.10.2:8000


Gr,
Rob

Re: DNAT query

[Jörg Harmuth]

Payal Rathod schrieb:
> Hi,
> I am trying to redirect trafffic from outside to an internal machine.  
> The setup is SuSE Linux 9.1 (i586) 2.6.4-52-default
> # iptables --version
> iptables v1.2.9
> 
> When I give,
> # iptables -t nat -I OUTPUT -d dyn.example.com -p tcp --dport 8000 -j DNAT --to-destination 192.168.10.2:8000
> iptables: Target problem
> 
> What exactly is wrong? If I try it on my Mandrake box it works. Any 
> ideas?

Some time ago I had a similar problem with SLES8 and nat/OUTPUT. The
reason was, that is was the _only_ netfilter optio, that wasn't compiled
into the kernel :) I generally don't work with SuSE, so I don't know.
Bur maybe they still don't compile it as a kernel module.

HTH,

Joerg

Re: DNAT query

[Jörg Harmuth]

Payal Rathod schrieb:
> Hi,
> I am trying to redirect trafffic from outside to an internal machine.  
> The setup is SuSE Linux 9.1 (i586) 2.6.4-52-default
> # iptables --version
> iptables v1.2.9
> 
> When I give,
> # iptables -t nat -I OUTPUT -d dyn.example.com -p tcp --dport 8000 -j DNAT --to-destination 192.168.10.2:8000
> iptables: Target problem
> 
> What exactly is wrong? If I try it on my Mandrake box it works. Any 
> ideas?

Some time ago I had a similar problem with SLES8 and nat/OUTPUT. The
reason was, that is was the _only_ netfilter optio, that wasn't compiled
into the kernel :) I generally don't work with SuSE, so I don't know.
Bur maybe they still don't compile it as a kernel module.

HTH,

Joerg

Re: DNAT query

[Payal Rathod]

On Fri, Nov 11, 2005 at 11:57:02AM +0100, J?rg Harmuth wrote:
> Some time ago I had a similar problem with SLES8 and nat/OUTPUT. The
> reason was, that is was the _only_ netfilter optio, that wasn't compiled
> into the kernel :) I generally don't work with SuSE, so I don't know.
> Bur maybe they still don't compile it as a kernel module.

So what do you suggest? How do I use it now? Do I have to recomiple te 
kernel for that? I never done that before.
With warm regards,
-Payal

Re: DNAT query

[Payal Rathod]

On Fri, Nov 11, 2005 at 11:46:19AM +0100, Rob Sterenborg wrote:
> iptables -t nat -I PREROUTING -d dyn.example.com -p tcp --dport 8000 \
>   -j DNAT --to-destination 192.168.10.2:8000

This does work (sorry I should have mentioned it before). But I also 
need the OUTPUT rule too, right?

With warm regards,
-Payal

Re: DNAT query

[Jörg Harmuth]

Payal Rathod schrieb:
> On Fri, Nov 11, 2005 at 11:57:02AM +0100, J?rg Harmuth wrote:
> 
>>Some time ago I had a similar problem with SLES8 and nat/OUTPUT. The
>>reason was, that is was the _only_ netfilter optio, that wasn't compiled
>>into the kernel :) I generally don't work with SuSE, so I don't know.
>>Bur maybe they still don't compile it as a kernel module.
> 
> 
> So what do you suggest? How do I use it now? Do I have to recomiple te 
> kernel for that? I never done that before.
> With warm regards,
> -Payal

It depends. But as Robs solution works for you, it looks like you only
need to redirect/forward connections (roughly: PREROUTING -> FORWARD ->
POSTROUTING). You only need nat/OUTPUT for packets, generated on the
firewall itself (roughly: local process -> OUTPUT -> POSTROUTING). If
you need to redirect locally generated packets *and* nat/OUTPUT isn't
compiled - well, yes then you have to compile the module from the kernel
sources (which in this case is simple, because you only have to enable
one option).

HTH,

Joerg

Re: DNAT query

[Payal Rathod]

On Fri, Nov 11, 2005 at 01:20:13PM +0100, J?rg Harmuth wrote:
> It depends. But as Robs solution works for you, it looks like you only
> need to redirect/forward connections (roughly: PREROUTING -> FORWARD ->
> POSTROUTING). You only need nat/OUTPUT for packets, generated on the
> firewall itself (roughly: local process -> OUTPUT -> POSTROUTING). If
[...]

I am sorry but you lost me here. Can you give the complete ruleset which 
I need now. I always thought I needed PREROUTING as well as OUTPUT.
Thanks in advance.
With warm regards,
-Payal