Glacier

From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Michael Menges" Subject: Forwarding Help Date: Thu, 20 Nov 2003 15:26:44 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0047_01C3AF7A.B4C47270" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------=_NextPart_000_0047_01C3AF7A.B4C47270 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0048_01C3AF7A.B4C47270" ------=_NextPart_001_0048_01C3AF7A.B4C47270 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable GlacierHello folks. What's the best way to handle this situation: I wish to have my gateway/firewall using iptables to forward incoming = internet traffic destined to port 443 (https) to another machine on my = localnet (192.168.0.10) keeping the same port number, obviously. I'm on = a cable connection with a dynamic IP address, of course. I've read the = FAQ's and man page but yet unable to come up with the proper syntax. = Any generic command structures would be most helpful. hasta, Mike=20 ------=_NextPart_001_0048_01C3AF7A.B4C47270 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Glacier

Hello folks. What's the best way to handle = this situation:

I wish to have my gateway/firewall using iptables to forward = incoming=20 internet traffic destined to port 443 (https) to another = machine on my=20 localnet (192.168.0.10) keeping the same port number, = obviously. =20 I'm on a cable connection with a dynamic IP address, of course. I've = read the=20 FAQ's and man page but yet unable to come up with the proper = syntax. =20 Any generic command structures would be most helpful.

hasta,

Mike

------=_NextPart_001_0048_01C3AF7A.B4C47270-- ------=_NextPart_000_0047_01C3AF7A.B4C47270 Content-Type: image/jpeg; name="Glacier Bkgrd.jpg" Content-Transfer-Encoding: base64 Content-ID: <004601c3afa4$9d983080$0a00a8c0@root66.net> /9j/4AAQSkZJRgABAgEASABIAAD/7QSqUGhvdG9zaG9wIDMuMAA4QklNA+kAAAAAAHgAAwAAAEgA SAAAAAAC2gIo/+H/4QL5AkUDRwUoA/wAAgAAAEgASAAAAAAC2AIoAAEAAABkAAAAAQADAwMAAAAB Jw8AAQABAAAAAAAAAAAAAAAAYAgAGQGQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4 QklNA+0AAAAAABAASAAAAAEAAQBIAAAAAQABOEJJTQPzAAAAAAAIAAAAAAAAAAA4QklNBAoAAAAA AAEAADhCSU0nEAAAAAAACgABAAAAAAAAAAI4QklNA/UAAAAAAEgAL2ZmAAEAbGZmAAYAAAAAAAEA L2ZmAAEAoZmaAAYAAAAAAAEAMgAAAAEAWgAAAAYAAAAAAAEANQAAAAEALQAAAAYAAAAAAAE4QklN A/gAAAAAAHAAAP////////////////////////////8D6AAAAAD///////////////////////// ////A+gAAAAA/////////////////////////////wPoAAAAAP////////////////////////// //8D6AAAOEJJTQQAAAAAAAACAAA4QklNBAIAAAAAAAIAADhCSU0ECAAAAAAAEAAAAAEAAAJAAAAC QAAAAAA4QklNBAkAAAAAApkAAAABAAAAgAAAAAEAAAGAAAABgAAAAn0AGAAB/9j/4AAQSkZJRgAB AgEASABIAAD//gAnRmlsZSB3cml0dGVuIGJ5IEFkb2JlIFBob3Rvc2hvcKggNC4wAP/uAA5BZG9i ZQBkgAAAAAH/2wCEAAwICAgJCAwJCQwRCwoLERUPDAwPFRgTExUTExgRDAwMDAwMEQwMDAwMDAwM DAwMDAwMDAwMDAwMDAwMDAwMDAwBDQsLDQ4NEA4OEBQODg4UFA4ODg4UEQwMDAwMEREMDAwMDAwR DAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDP/AABEIAAEAgAMBIgACEQEDEQH/3QAEAAj/xAE/ AAABBQEBAQEBAQAAAAAAAAADAAECBAUGBwgJCgsBAAEFAQEBAQEBAAAAAAAAAAEAAgMEBQYHCAkK CxAAAQQBAwIEAgUHBggFAwwzAQACEQMEIRIxBUFRYRMicYEyBhSRobFCIyQVUsFiMzRygtFDByWS U/Dh8WNzNRaisoMmRJNUZEXCo3Q2F9JV4mXys4TD03Xj80YnlKSFtJXE1OT0pbXF1eX1VmZ2hpam tsbW5vY3R1dnd4eXp7fH1+f3EQACAgECBAQDBAUGBwcGBTUBAAIRAyExEgRBUWFxIhMFMoGRFKGx QiPBUtHwMyRi4XKCkkNTFWNzNPElBhaisoMHJjXC0kSTVKMXZEVVNnRl4vKzhMPTdePzRpSkhbSV xNTk9KW1xdXl9VZmdoaWprbG1ub2JzdHV2d3h5ent8f/2gAMAwEAAhEDEQA/APTqPon4/wAAir5X SQGyn6oSXyukip+qEl8rpJKfqhJfK6SSn6oSXyukkp+qEl8rpJKfqhJfK6SSn6oSXyukkp//2QA4 QklNBAYAAAAAAAcABAAAAAEBAP/+ACdGaWxlIHdyaXR0ZW4gYnkgQWRvYmUgUGhvdG9zaG9wqCA0 LjAA/+4ADkFkb2JlAGQAAAAAAf/bAIQABgQEBwUHCwYGCw4KCAoOEQ4ODg4RFhMTExMTFhEMDAwM DAwRDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAEHCQkTDBMiExMiFA4ODhQUDg4ODhQRDAwM DAwREQwMDAwMDBEMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM/8AAEQgAAwZAAwERAAIRAQMR Af/dAAQAyP/EAaIAAAAHAQEBAQEAAAAAAAAAAAQFAwIGAQAHCAkKCwEAAgIDAQEBAQEAAAAAAAAA AQACAwQFBgcICQoLEAACAQMDAgQCBgcDBAIGAnMBAgMRBAAFIRIxQVEGE2EicYEUMpGhBxWxQiPB UtHhMxZi8CRygvElQzRTkqKyY3PCNUQnk6OzNhdUZHTD0uIIJoMJChgZhJRFRqS0VtNVKBry4/PE 1OT0ZXWFlaW1xdXl9WZ2hpamtsbW5vY3R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo+Ck5SVlpeYmZ qbnJ2en5KjpKWmp6ipqqusra6voRAAICAQIDBQUEBQYECAMDbQEAAhEDBCESMUEFURNhIgZxgZEy obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PSNeJEgxdUkwgJChgZJjZFGidkdFU38qOzwygp 0+PzhJSktMTU5PRldYWVpbXF1eX1RlZmdoaWprbG1ub2R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo +DlJWWl5iZmpucnZ6fkqOkpaanqKmqq6ytrq+v/aAAwDAQACEQMRAD8A9N/vv+Lv+SWFhv5/7F37 7/i7/kliu/n/ALFbJ63H/dv0+lTFd/P/AGKj++/y/wDkliu/n/sVa29Tl8fSn7fCn/JPfFIRH/AY GTv+AxV3/AYq7/gMVd/wGKu/4DFXf8Birv8AgMVd/wABirv+AxV3/AYq7/gMVd/wGKu/4DFXf8Bi rv8AgMVd/wABirv+AxV3/AYq7/gMVd/wGKu/4DFXf8Birv8AgMVd/wABirv+AxV3/AYq7/gMVd/w GKu/4DFXf8Birv8AgMVd/wABirv+AxV3/AYq7/gMVd/wGKu/4DFXf8Birv8AgMVd/wABirv+AxV3 /AYq7/gMVd/wGKu/4DFXf8Birv8AgMVd/wABirv+AxV3/AYq7/gMVd/wGKu/4DFXf8Birv8AgMVd /wABirv+AxV3/AYq7/gMVd/wGKu/4DFXf8Birv8AgMVd/wABirv+AxV3/AYq7/gMVd/wGKu/4DFX f8Birv8AgMVd/wABirv+AxV3/AYq7/gMVd/wGKu/4DFXf8Birv8AgMVd/wABirv+AxV3/AYq7/gM Vd/wGKu/4DFXf8Birv8AgMVd/wABirv+AxV3/AYq7/gMVd/wGKu/4DFXf8Birv8AgMVd/wABirv+ AxV3/AYq7/gMVd/wGKu/4DFXf8Birv8AgMVd/wABirv+AxV3/AYq7/gMVd/wGKu/4DFXf8Birv8A gMVd/wABirv+AxV3/AYq7/gMVd/wGKu/4DFXf8Birv8AgMVd/wABirv+AxV3/AYq7/gMVd/wGKu/ 4DFXf8Birv8AgMVd/wABirv+AxV3/AYq7/gMVd/wGKu/4DFXf8Birv8AgMVd/wABirv+AxV3/AYq 7/gMVd/wGKu/4DFXf8Birv8AgMVd/wABirv+AxV3/AYq7/gMVd/wGKu/4DFXf8Birv8AgMVd/wAB irv+AxV3/AYq7/gMVd/wGKu/4DFXf8Birv8AgMVd/wABirv+AxV3/AYq7/gMVd/wGKu/4DFXf8Bi rv8AgMVd/wABirv+AxV3/AYq7/gMVd/wGKu/4DFXf8Birv8AgMVd/wABirv+AxV3/AYq7/gMVd/w GKu/4DFXf8Birv8AgMVd/wABirv+AxV3/AYq7/gMVd/wGKu/4DFXf8Birv8AgMVd/wABirv+AxV3 /AYq/wD/2Q== ------=_NextPart_000_0047_01C3AF7A.B4C47270-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: Forwarding Help Date: Thu, 20 Nov 2003 20:40:54 +0000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200311202040.hAKKex723544@onyx.rockstone.co.uk> References: Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Thursday 20 November 2003 8:26 pm, Michael Menges wrote: > GlacierHello folks. What's the best way to handle this situation: > > I wish to have my gateway/firewall using iptables to forward incoming > internet traffic destined to port 443 (https) to another machine on my > localnet (192.168.0.10) keeping the same port number, obviously. I'm on a > cable connection with a dynamic IP address, of course. I've read the FAQ's > and man page but yet unable to come up with the proper syntax. Any generic > command structures would be most helpful. iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j DNAT --to 192.168.0.10 iptables -A FORWARD -d 192.168.0.1 -p tcp --dport 443 -j ACCEPT eth0 is your external interface. Adjust the rule if this assumption is incorrect Ask if you don't see why the above rules do what you want. PS: What does "Glacier" mean? Antony. -- How I want a drink, alcoholic of course, after the heavy chapters involving quantum mechanics. - 3.14159265358979 Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jeffrey Laramie Subject: Re: Forwarding Help Date: Thu, 20 Nov 2003 16:23:18 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3FBD30C6.2020905@Loudoun-Fairfax.com> References: <200311202040.hAKKex723544@onyx.rockstone.co.uk> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200311202040.hAKKex723544@onyx.rockstone.co.uk> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org Antony Stone wrote: >On Thursday 20 November 2003 8:26 pm, Michael Menges wrote: > > > >>GlacierHello folks. What's the best way to handle this situation: >> >>I wish to have my gateway/firewall using iptables to forward incoming >>internet traffic destined to port 443 (https) to another machine on my >>localnet (192.168.0.10) keeping the same port number, obviously. I'm on a >>cable connection with a dynamic IP address, of course. I've read the FAQ's >>and man page but yet unable to come up with the proper syntax. Any generic >>command structures would be most helpful. >> >> > >iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j DNAT --to >192.168.0.10 >iptables -A FORWARD -d 192.168.0.1 -p tcp --dport 443 -j ACCEPT > > Do you mean -d 192.168.0.10 here? ;-) >eth0 is your external interface. Adjust the rule if this assumption is >incorrect > >Ask if you don't see why the above rules do what you want. > >PS: What does "Glacier" mean? > > That didn't show up in my mail. I think it has something to do with his html formatting. Jeff From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Eric Wood" Subject: Re: Forwarding Help Date: Thu, 20 Nov 2003 16:20:10 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: <000301c3afad$eefa7420$9100000a@intgrp.com> References: Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter Glacier----- Original Message ----- >From: Michael Menges >I wish to have my gateway/firewall using iptables to forward incoming internet traffic destined to port 443 (https) to another machine on my localnet >(192.168.0.10) keeping the same port number, obviously. I'm on a cable connection with a dynamic IP address, of course. I've read the FAQ's and man >page but yet unable to come up with the proper syntax. Any generic command structures would be most helpful. As far as your dynamic ip address is concerned, I seen where a US Robotics wireless router will actually update your DynDNS account for you automatically without needing the software on your server. I guess other routers are coming with this feature built in now-a-days. -eric wood From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: Forwarding Help Date: Thu, 20 Nov 2003 21:37:51 +0000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200311202137.hAKLbt723596@onyx.rockstone.co.uk> References: <200311202040.hAKKex723544@onyx.rockstone.co.uk> <3FBD30C6.2020905@Loudoun-Fairfax.com> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <3FBD30C6.2020905@Loudoun-Fairfax.com> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Thursday 20 November 2003 9:23 pm, Jeffrey Laramie wrote: > Antony Stone wrote: > > > >iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j DNAT --to > >192.168.0.10 > >iptables -A FORWARD -d 192.168.0.1 -p tcp --dport 443 -j ACCEPT > > Do you mean -d 192.168.0.10 here? ;-) Definitely :-) > >PS: What does "Glacier" mean? > > That didn't show up in my mail. I think it has something to do with his > html formatting. HTML???? Ugh!!! Antony -- In science, one tries to tell people in such a way as to be understood by everyone something that no-one ever knew before. In poetry, it is the exact opposite. - Paul Dirac Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Subject: Forwarding help Date: Wed, 26 Nov 2003 23:03:14 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <000701c3b469$17203ba0$14d36c50@anonymous> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org hello i use iptables .7, but it does not work (forward) , any ideas? thank you , ps: same rules down i have make for tcp match not only for udp echo "1" > /proc/sys/net/ipv4/ip_forward iptables -F FORWARD iptables -t nat -F iptables -A FORWARD -j LOG iptables -A FORWARD -p udp -d ip --dport port -j ACCEPT iptables -t nat -A PREROUTING -p udp -d ip --dport port -j DNAT --to ip:port From mboxrd@z Thu Jan 1 00:00:00 1970 From: zechim Subject: Re: Forwarding help Date: Wed, 26 Nov 2003 20:30:21 -0200 (BRST) Sender: netfilter-admin@lists.netfilter.org Message-ID: References: <000701c3b469$17203ba0$14d36c50@anonymous> Mime-Version: 1.0 Content-Transfer-Encoding: QUOTED-PRINTABLE Return-path: In-Reply-To: <000701c3b469$17203ba0$14d36c50@anonymous> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: TEXT/PLAIN; charset="iso-8859-1" To: sc2@gmx.at Cc: netfilter@lists.netfilter.org On Wed, 26 Nov 2003 sc2@gmx.at wrote: ||hello ||i use iptables .7, but it does not work (forward) , any ideas? ||thank you , ||ps: same rules down i have make for tcp match not only for udp || ||echo "1" > /proc/sys/net/ipv4/ip_forward ||iptables -F FORWARD ||iptables -t nat -F ||iptables -A FORWARD -j LOG ||iptables -A FORWARD -p udp -d ip --dport port -j ACCEPT ||iptables -t nat -A PREROUTING -p udp -d ip --dport port -j DNAT --to ||ip:port iptables -t nat -A PREROUTING -p udp -d ip --dport port -j DNAT --to-destin= ation ip || || + Lucas de Camargo Zechim + Administrador TI + + phone: 55 19 3492 8894 + + CNEC Capivari + Rua Bar=E3o do Rio Branco, 374 + 13360-000 + Capivari / S=E3o Paulo / Brasil + + email by pine 4.58 / Slackware Linux 9.1 / kernel 2.4.22-xfs + "Os poderosos podem matar uma, duas ou tr=EAs rosas, mas + jamais consiguir=E3o deter a primavera inteira" From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: Forwarding help Date: Wed, 26 Nov 2003 22:30:31 +0000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200311262230.31909.Antony@Soft-Solutions.co.uk> References: <000701c3b469$17203ba0$14d36c50@anonymous> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <000701c3b469$17203ba0$14d36c50@anonymous> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Wednesday 26 November 2003 10:03 pm, sc2@gmx.at wrote: > hello > i use iptables .7, but it does not work (forward) , any ideas? > thank you , > ps: same rules down i have make for tcp match not only for udp > > echo "1" > /proc/sys/net/ipv4/ip_forward > iptables -F FORWARD > iptables -t nat -F > iptables -A FORWARD -j LOG > iptables -A FORWARD -p udp -d ip --dport port -j ACCEPT > iptables -t nat -A PREROUTING -p udp -d ip --dport port -j DNAT --to > ip:port I assume in that last rule the two occurrences of "ip" are different. Which one is specified in the FORWARD rule? Make sure it is the translated address (ie the address on the packet after it has gone through the PREROUTING rule), because it will no longer have the original destination address by the time it hits the FORWARD chain. If that's not the answer then post your actual ruleset (by all means munge the addresses if you don't want us to know exactly what they are, but let us see which ones are which...) Antony. -- Wanted: telepath. You know where to apply. Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Subject: Re: Forwarding help Date: Thu, 27 Nov 2003 12:07:36 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <002901c3b4d6$ab0bbca0$14d36c50@anonymous> References: <000701c3b469$17203ba0$14d36c50@anonymous> <200311262230.31909.Antony@Soft-Solutions.co.uk> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Thx for answer antony here the complet rules list, sorry for this xx.xx.xx it was stupid from me (full range)... Ip : xx.xxx.24.51 , should be fw to ip: xx.xxx.24.58 (only for 1 port) thank you echo "1" > /proc/sys/net/ipv4/ip_forward iptables -F FORWARD iptables -t nat -F iptables -A FORWARD -j LOG iptables -A FORWARD -p udp -d xx.xxx.24.58 --dport xxx21 -j ACCEPT iptables -t nat -A PREROUTING -p udp -d xx.xxx.24.51 --dport xxx21 -j DNAT --to xx.xxx.24.58:xx021 iptables -A FORWARD -p tcp -d xx.xxx.24.58 --dport xxx21 -j ACCEPT iptables -t nat -A PREROUTING -p tcp -d xx.xxx.24.51 --dport xxx21 -j DNAT --to xx.xxx.xx.58:xxx21 > On Wednesday 26 November 2003 10:03 pm, sc2@gmx.at wrote: > > > hello > > i use iptables .7, but it does not work (forward) , any ideas? > > thank you , > > ps: same rules down i have make for tcp match not only for udp > > > > echo "1" > /proc/sys/net/ipv4/ip_forward > > iptables -F FORWARD > > iptables -t nat -F > > iptables -A FORWARD -j LOG > > iptables -A FORWARD -p udp -d ip --dport port -j ACCEPT > > iptables -t nat -A PREROUTING -p udp -d ip --dport port -j DNAT --to > > ip:port > > I assume in that last rule the two occurrences of "ip" are different. > > Which one is specified in the FORWARD rule? Make sure it is the translated > address (ie the address on the packet after it has gone through the > PREROUTING rule), because it will no longer have the original destination > address by the time it hits the FORWARD chain. > > If that's not the answer then post your actual ruleset (by all means munge the > addresses if you don't want us to know exactly what they are, but let us see > which ones are which...) > > Antony. > > -- > Wanted: telepath. You know where to apply. > > Please reply to the list; > please don't CC me. > > > From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: Forwarding help Date: Thu, 27 Nov 2003 11:34:06 +0000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200311271134.06406.Antony@Soft-Solutions.co.uk> References: <000701c3b469$17203ba0$14d36c50@anonymous> <200311262230.31909.Antony@Soft-Solutions.co.uk> <002901c3b4d6$ab0bbca0$14d36c50@anonymous> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <002901c3b4d6$ab0bbca0$14d36c50@anonymous> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Thursday 27 November 2003 11:07 am, sc2@gmx.at wrote: > Thx for answer antony > here the complet rules list, sorry for this xx.xx.xx it was stupid from me > (full range)... > Ip : xx.xxx.24.51 , should be fw to ip: xx.xxx.24.58 > (only for 1 port) > thank you > > echo "1" > /proc/sys/net/ipv4/ip_forward > iptables -F FORWARD > iptables -t nat -F > iptables -A FORWARD -j LOG > iptables -A FORWARD -p udp -d xx.xxx.24.58 --dport xxx21 -j ACCEPT > iptables -t nat -A PREROUTING -p udp -d xx.xxx.24.51 --dport xxx21 -j > DNAT --to xx.xxx.24.58:xx021 > > iptables -A FORWARD -p tcp -d xx.xxx.24.58 --dport xxx21 -j ACCEPT > iptables -t nat -A PREROUTING -p tcp -d xx.xxx.24.51 --dport xxx21 -j > DNAT --to xx.xxx.xx.58:xxx21 The only thing I can see missing here is a rule to allow the replies back through the Firewall in the other direction (the FORWARD rules you have shown only allow the first packet of the initial connection). So "iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" might be a good idea. However, the fact that the original address, and the translated address, are both in the same network range, makes me ask "is the client which is trying to access xx.xxx.25.51 on the other side of the Firewall (ie the client must not be on the same subnet as the server xx.xxx.25.58)?" My final question is: what is the actual port number (or alternatively, what is the service you are trying to NAT)? Are you sure it is a protocol which doesn't mind being NATted (some do, some don't, some need helpers)? Antony. -- Abandon hope, all ye who enter here. You'll feel much better about things once you do. Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Subject: Re: Forwarding help Date: Thu, 27 Nov 2003 13:48:04 +0100 Sender: netfilter-admin@lists.netfilter.org Message-ID: <000701c3b4e4$b32a8fc0$14d36c50@anonymous> References: <000701c3b469$17203ba0$14d36c50@anonymous> <200311262230.31909.Antony@Soft-Solutions.co.uk> <002901c3b4d6$ab0bbca0$14d36c50@anonymous> <200311271134.06406.Antony@Soft-Solutions.co.uk> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org so a.) >So "iptables -I FORWARD -m state --state >ESTABLISHED,RELATED -j ACCEPT" might >be a good idea. i should include this ? b.) the port / service is a udp/tcp , port of a half - life game server, so the clients are not on the same subnet they are connecting to x.24.51 > and should FW to .24.58: cya From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: Forwarding help Date: Thu, 27 Nov 2003 12:58:29 +0000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200311271258.29327.Antony@Soft-Solutions.co.uk> References: <000701c3b469$17203ba0$14d36c50@anonymous> <200311271134.06406.Antony@Soft-Solutions.co.uk> <000701c3b4e4$b32a8fc0$14d36c50@anonymous> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <000701c3b4e4$b32a8fc0$14d36c50@anonymous> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Thursday 27 November 2003 12:48 pm, sc2@gmx.at wrote: > > So "iptables -I FORWARD -m state --state >ESTABLISHED,RELATED -j ACCEPT" > > might be a good idea. > > i should include this ? This will alloow the reply packets pack again - if you don't have this, you need a specific rule to allow those the same as you have a specific rule to allow the original packets. Don't forget communications go both ways through a firewall :) > b.) the port / service is a udp/tcp , port of a half - life game server, so > the clients are not on the same subnet > they are connecting to x.24.51 > and should FW to .24.58: Does halflife work through NAT? I don't know (maybe someone else here does), but you should be aware that there are some protocols which just work through NAT, some which are a bit of a challenge, and some which won't work at all. I don't know which group halflife falls into. Antony. -- Most people have more than the average number of legs. Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ray Leach Subject: Re: Forwarding help Date: Thu, 27 Nov 2003 15:14:36 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1069938876.20811.5.camel@raylinux.internal> References: <000701c3b469$17203ba0$14d36c50@anonymous> <200311271134.06406.Antony@Soft-Solutions.co.uk> <000701c3b4e4$b32a8fc0$14d36c50@anonymous> <200311271258.29327.Antony@Soft-Solutions.co.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-utRAdKOAkBLlHAFn3f/o" Return-path: In-Reply-To: <200311271258.29327.Antony@Soft-Solutions.co.uk> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: Netfilter Mailing List --=-utRAdKOAkBLlHAFn3f/o Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2003-11-27 at 14:58, Antony Stone wrote: > On Thursday 27 November 2003 12:48 pm, sc2@gmx.at wrote: >=20 > > > So "iptables -I FORWARD -m state --state >ESTABLISHED,RELATED -j ACCE= PT" > > > might be a good idea. > > > > i should include this ? >=20 > This will alloow the reply packets pack again - if you don't have this, y= ou=20 > need a specific rule to allow those the same as you have a specific rule = to=20 > allow the original packets. Don't forget communications go both ways=20 > through a firewall :) >=20 > > b.) the port / service is a udp/tcp , port of a half - life game server= , so > > the clients are not on the same subnet > > they are connecting to x.24.51 > and should FW to .24.58: >=20 > Does halflife work through NAT? >=20 > I don't know (maybe someone else here does), but you should be aware that= =20 > there are some protocols which just work through NAT, some which are a bi= t of=20 > a challenge, and some which won't work at all. >=20 Halflife like most network games uses UDP, so should be able to work through nat. > I don't know which group halflife falls into. >=20 > Antony. --=20 -- Raymond Leach Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint =3D 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 -- --=-utRAdKOAkBLlHAFn3f/o Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQA/xfi7h1fuR/Bv+ygRAsjZAJ0fncoTYD1rV5ERvAE6hhUqoe514ACePapd vpURYwOAzuDSgk3DQbiMVVs= =8bl4 -----END PGP SIGNATURE----- --=-utRAdKOAkBLlHAFn3f/o-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: Forwarding help Date: Thu, 27 Nov 2003 13:21:16 +0000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200311271321.16493.Antony@Soft-Solutions.co.uk> References: <000701c3b469$17203ba0$14d36c50@anonymous> <200311271258.29327.Antony@Soft-Solutions.co.uk> <1069938876.20811.5.camel@raylinux.internal> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <1069938876.20811.5.camel@raylinux.internal> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: Netfilter Mailing List On Thursday 27 November 2003 1:14 pm, Ray Leach wrote: > Halflife like most network games uses UDP, so should be able to work > through nat. I'm not sure I see the reasoning here. Just because something uses UDP doesn't automatically mean it will work through nat? The criterion for whether a protocol will work through nat or not is whether the IP address that each end-system thinks it has gets embedded in the communication somewhere or not. If those addresses do get embedded in the packet contents, then it won't work through nat without a helper which understands where and how the embedding is done, and can fiddle about with it. I don't think it makes any difference whether the packets get to the other end by TCP, UDP or anything else? Antony. -- The first fifty percent of an engineering project takes ninety percent of the time, and the remaining fifty percent takes another ninety percent of the time. Please reply to the list; please don't CC me.