From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Sathi" Subject: Destination NAT Date: Fri, 14 Mar 2003 16:31:44 +0530 Sender: netfilter-admin@lists.netfilter.org Message-ID: <045501c2ea19$1dfc4830$870110ac@samsi> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0452_01C2EA47.332FBF60" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------=_NextPart_000_0452_01C2EA47.332FBF60 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello All, I am running squid as reverse proxy and its working fine. Now i need to set iptables rules to forward ftp ports directly to = backend server for file upload. I set in prerouting rule as /sbin/iptables -t nat -A PREROUTING -p tcp --dport 20 -d 172.16.1.10 -j = DNAT --to 172.16.1.25 /sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -d 172.16.1.10 -j = DNAT --to 172.16.1.25 Note: Reverse proxy and backend servers are running in same network.and = by reverse proxy has only one network interface. but i was not able to connect to backend server. In tcpdump i can see a request from client to squid server but it is not = forwarding to backend server. What is the correct rule to forward the ftp ports to backend server. Regards, Sathi ------=_NextPart_000_0452_01C2EA47.332FBF60 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Hello All,

I am running squid as reverse proxy and = its working=20 fine.

Now i need to set iptables rules to = forward ftp=20 ports directly to backend server for file upload.

I set in prerouting rule = as

/sbin/iptables -t nat -A PREROUTING -p = tcp --dport=20 20 -d 172.16.1.10 -j DNAT --to 172.16.1.25

/sbin/iptables -t nat -A PREROUTING -p = tcp --dport=20 21 -d 172.16.1.10 -j DNAT --to 172.16.1.25

Note: Reverse proxy and backend servers are running in same = network.and by=20 reverse proxy has only one network interface.

but i was not able to connect to backend server.

In tcpdump i can see a request from client to squid server but it = is not=20 forwarding to backend server.

What is the correct rule to forward the ftp ports to backend = server.

Regards,

Sathi

------=_NextPart_000_0452_01C2EA47.332FBF60-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Ale Zeta" Subject: Destination NAT Date: Wed, 28 Jan 2004 17:45:04 -0300 Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; format=flowed; charset="us-ascii" Content-Transfer-Encoding: 7bit To: netfilter@lists.netfilter.org Can I address an UDP packet to more than one IP address at the same time ?? I have iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8-5.6.7.10 as an example, but I want to send the packets to both 7.8 and also 7.10 and not doing the load balancing thing.... Is it possible to do ??? >From Buenos Aires, Argentina. Alex.- _________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Alejandro Zaidel" Subject: Destination NAT Date: Wed, 28 Jan 2004 11:21:43 -0300 Sender: netfilter-admin@lists.netfilter.org Message-ID: <147E1D375819F44680C3E5BFB6424C52DFC450@bcexc01.bue299.comafi.com.ar> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.samba.org Can I address a packet to more than one IP address at the same time ?? I have iptables -t nat -A PREROUTING -i eth1 -j DNAT --to= 5.6.7.8-5.6.7.10 as an example, but I want to send the packets to both= 7.8 and also 7.10=0D Is it possible to do ??? >From Buenos Aires, Argentina. Alex.- La informacion contenida en este correo es para uso exclusivo de los= destinatarios del mismo. Esta prohibido a las personas o entidades que no sean los destinatarios de= este correo realizar cualquier tipo de modificacion, copia o distribucion del mismo. Si Usted recibe este correo por error tenga bien notificar al emisor y= eliminarlo. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: Destination NAT Date: Thu, 29 Jan 2004 09:13:53 +0000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200401290913.54045.Antony@Soft-Solutions.co.uk> References: <147E1D375819F44680C3E5BFB6424C52DFC450@bcexc01.bue299.comafi.com.ar> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <147E1D375819F44680C3E5BFB6424C52DFC450@bcexc01.bue299.comafi.com.ar> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.samba.org On Wednesday 28 January 2004 2:21 pm, Alejandro Zaidel wrote: > Can I address a packet to more than one IP address at the same time ?? > > I have iptables -t nat -A PREROUTING -i eth1 -j DNAT --to > 5.6.7.8-5.6.7.10 as an example, but I want to send the packets to both= 7.8 > and also 7.10 > > Is it possible to do ??? No. You cannot use netfilter to create duplicates of packets. Netfilt= er=20 will perform various operations on the packets which exit, but it won't m= ake=20 multiple versions of what was originally one packet. Regards, Antony. --=20 There are two possible outcomes: If the result confirms the hypothesis, then you've made a measurement. If the result is contrary to the hypothesis, then you've made a discover= y. - Enrico Fermi Please reply to the = list; please don't C= C me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ray Leach Subject: Re: Destination NAT Date: Thu, 29 Jan 2004 11:47:41 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1075369661.1999.94.camel@raylinux.internal> References: <147E1D375819F44680C3E5BFB6424C52DFC450@bcexc01.bue299.comafi.com.ar> <200401290913.54045.Antony@Soft-Solutions.co.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-8UcBMsMCf96WvqbBgLZt" Return-path: In-Reply-To: <200401290913.54045.Antony@Soft-Solutions.co.uk> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: Netfilter Mailing List --=-8UcBMsMCf96WvqbBgLZt Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2004-01-29 at 11:13, Antony Stone wrote: > On Wednesday 28 January 2004 2:21 pm, Alejandro Zaidel wrote: >=20 > > Can I address a packet to more than one IP address at the same time ?? > > > > I have iptables -t nat -A PREROUTING -i eth1 -j DNAT --to > > 5.6.7.8-5.6.7.10 as an example, but I want to send the packets to both= 7.8 > > and also 7.10 > > > > Is it possible to do ??? >=20 > No. You cannot use netfilter to create duplicates of packets. Netfilt= er=20 > will perform various operations on the packets which exit, but it won't m= ake=20 > multiple versions of what was originally one packet. >=20 With the exception of the MIRROR patch ... > Regards, >=20 > Antony. --=20 -- Raymond Leach Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint =3D 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 -- --=-8UcBMsMCf96WvqbBgLZt Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQBAGNa9h1fuR/Bv+ygRAkZMAJ9aHNZOu+vKKOp0YnyxH68K9Ko8vACghEEr zUz2D1DnPbKRxEDL9G5X/rs= =R58X -----END PGP SIGNATURE----- --=-8UcBMsMCf96WvqbBgLZt-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: Destination NAT Date: Thu, 29 Jan 2004 09:46:21 +0000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200401290946.21862.Antony@Soft-Solutions.co.uk> References: <147E1D375819F44680C3E5BFB6424C52DFC450@bcexc01.bue299.comafi.com.ar> <200401290913.54045.Antony@Soft-Solutions.co.uk> <1075369661.1999.94.camel@raylinux.internal> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <1075369661.1999.94.camel@raylinux.internal> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: Netfilter Mailing List On Thursday 29 January 2004 9:47 am, Ray Leach wrote: > On Thu, 2004-01-29 at 11:13, Antony Stone wrote: > > > > No. You cannot use netfilter to create duplicates of packets. > > Netfilter will perform various operations on the packets which exit, but > > it won't make multiple versions of what was originally one packet. > > With the exception of the MIRROR patch ... But even that only creates one packet out in response to one packet in (I think?). Antony. -- G- GIT/E d- s+:--(-) a+ C++++$ UL++++$ P+(---)>++ L+++(++++)$ !E W(-) N(-) o? w-- O !M V+++(--) !PS !PE Y+ PGP+> t- tv@ b+++ DI++ D--- e++>+++ h++ r@? 5? !X- !R K--? Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: "black@arbbs.net" Subject: Destination Nat Date: Fri, 28 May 2004 07:46:39 -0600 Sender: netfilter-admin@lists.netfilter.org Message-ID: <40b742bf.c1.3d5a.1536727437@arbbs.net> Reply-To: black@arbbs.net Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: netfilter@lists.netfilter.org Im running at red hat 9 and iptables 1.2.7 im trying to direct web traffic to the web server on the inside. is [ iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 5.6.7.8:8080 ] right? thanks john From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: Re: Destination Nat Date: Fri, 28 May 2004 10:18:39 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1085753919.14362.12.camel@localhost> References: <40b742bf.c1.3d5a.1536727437@arbbs.net> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <40b742bf.c1.3d5a.1536727437@arbbs.net> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: black@arbbs.net Cc: netfilter@lists.netfilter.org On Fri, 2004-05-28 at 09:46, black@arbbs.net wrote: > Im running at red hat 9 and iptables 1.2.7 > > im trying to direct web traffic to the web server on the > inside. > is [ iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 > -j DNAT --to 5.6.7.8:8080 ] right? > > thanks > john That will direct all 80 /tcp packets for all addresses the station listens on to 5.6.7.8:8080? Is that what you want or do you want to redirect packets with a specific destination address? If the public Internet address is not an IP address bound to the NAT gateway, then you will need to add it, typically: ip address add 1.1.1.2/24 dev eth0 brd + Finally, NAT is not access control. Once the packeted hits the filter chain, you will need something, default policy or, preferable a rule, which allows access to 5.6.7.8 on TCP port 8080. Hope that helps - John -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net From mboxrd@z Thu Jan 1 00:00:00 1970 From: "black@arbbs.net" Subject: Re: Destination Nat Date: Fri, 28 May 2004 08:18:09 -0600 Sender: netfilter-admin@lists.netfilter.org Message-ID: <40b74a21.49.47a3.1468065555@arbbs.net> Reply-To: black@arbbs.net Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: netfilter@lists.netfilter.org would it be 8080 or 80? the web server has a static ip address on the inside 192.168.x.x > That will direct all 80 /tcp packets for all addresses the > station listens on to 5.6.7.8:8080? Is that what you want > or do you want to redirect packets with a specific > destination address? If the public Internet address is not > an IP address bound to the NAT gateway, then you will need > to add it, typically: ip address add 1.1.1.2/24 dev eth0 > brd + john From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: Re: Destination Nat Date: Fri, 28 May 2004 21:56:08 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1085795768.14775.2.camel@localhost> References: <40b74a21.49.47a3.1468065555@arbbs.net> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <40b74a21.49.47a3.1468065555@arbbs.net> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: black@arbbs.net Cc: netfilter@lists.netfilter.org If I understand you correctly and remember your original rule, then I think you have it backward. If you are changing the destination, you probably want to change it from the public address to the private address: iptables -t nat -A PREROUTING -d 5.6.7.8 -p 6 --dport 8080 -j DNAT --to-destination 192.168.x.x:80 Remember to ensure that traffic to 192.168.x.x:80 is allowed on the FORWARD chain and that the NAT gateway responds to ARPs for 5.6.7.8 - John On Fri, 2004-05-28 at 10:18, black@arbbs.net wrote: > would it be 8080 or 80? the web server has a static ip > address > on the inside 192.168.x.x > > > That will direct all 80 /tcp packets for all addresses the > > station listens on to 5.6.7.8:8080? Is that what you want > > or do you want to redirect packets with a specific > > destination address? If the public Internet address is not > > an IP address bound to the NAT gateway, then you will need > > to add it, typically: ip address add 1.1.1.2/24 dev eth0 > > brd + > > john -- Open Source Development Corporation Financially Sustainable open source development http://www.opensourcedevelopmentcorp.com From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John Black" Subject: Re: Destination Nat Date: Tue, 1 Jun 2004 22:38:37 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: <013201c44853$1829e220$9322a141@black> References: <40b74a21.49.47a3.1468065555@arbbs.net> <1085795768.14775.2.camel@localhost> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org thanks, ill give it a try tomorrow when i get to work. what is the -p 6? ----- Original Message ----- From: John A. Sullivan III To: Cc: Sent: Friday, May 28, 2004 8:56 PM Subject: Re: Destination Nat > If I understand you correctly and remember your original rule, then I > think you have it backward. If you are changing the destination, you > probably want to change it from the public address to the private > address: > john From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: Re: Destination Nat Date: Wed, 02 Jun 2004 07:19:21 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1086175160.4146.1.camel@localhost> References: <40b74a21.49.47a3.1468065555@arbbs.net> <1085795768.14775.2.camel@localhost> <013201c44853$1829e220$9322a141@black> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <013201c44853$1829e220$9322a141@black> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: John Black Cc: netfilter@lists.netfilter.org -p 6 is the same as -p tcp only a little faster as it does not have to look up tcp in the protocols file and translate it from tcp to 6. UDP would be -p 17, ICMP -p 1, ESP -p 50, etc. On Tue, 2004-06-01 at 23:38, John Black wrote: > thanks, ill give it a try tomorrow when i get to work. what is the -p 6? > ----- Original Message ----- > From: John A. Sullivan III > To: > Cc: > Sent: Friday, May 28, 2004 8:56 PM > Subject: Re: Destination Nat > > > > If I understand you correctly and remember your original rule, then I > > think you have it backward. If you are changing the destination, you > > probably want to change it from the public address to the private > > address: > > > > john -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John Black" Subject: Re: Destination Nat Date: Wed, 2 Jun 2004 06:53:12 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: <016f01c44898$2fa221c0$9322a141@black> References: <40b74a21.49.47a3.1468065555@arbbs.net> <1085795768.14775.2.camel@localhost> <013201c44853$1829e220$9322a141@black> <1086175160.4146.1.camel@localhost> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org okay, thank you > -p 6 is the same as -p tcp only a little faster as it does not have to > look up tcp in the protocols file and translate it from tcp to 6. UDP > would be -p 17, ICMP -p 1, ESP -p 50, etc. > From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alistair Tonner Subject: Re: Destination Nat Date: Wed, 2 Jun 2004 11:13:58 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200406021113.58570.Alistair@nerdnet.ca> References: <40b74a21.49.47a3.1468065555@arbbs.net> <013201c44853$1829e220$9322a141@black> <1086175160.4146.1.camel@localhost> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1086175160.4146.1.camel@localhost> Content-Disposition: inline Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On June 2, 2004 07:19 am, John A. Sullivan III wrote: > -p 6 is the same as -p tcp only a little faster as it does not have to > look up tcp in the protocols file and translate it from tcp to 6. UDP > would be -p 17, ICMP -p 1, ESP -p 50, etc. That lookup would only be done when the rule was posted or loaded. Thus - the time saving is only on loading the rule. I believe that the rule data is *all* stored in numeric form ... But I could be completely wrong on that front. Alistair. > > On Tue, 2004-06-01 at 23:38, John Black wrote: > > thanks, ill give it a try tomorrow when i get to work. what is the -p 6? > > ----- Original Message ----- > > From: John A. Sullivan III > > To: > > Cc: > > Sent: Friday, May 28, 2004 8:56 PM > > Subject: Re: Destination Nat > > > > > If I understand you correctly and remember your original rule, then I > > > think you have it backward. If you are changing the destination, you > > > probably want to change it from the public address to the private > > > address: > > > > john From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Piszcz, Justin Michael" Subject: RE: Destination Nat Date: Wed, 2 Jun 2004 11:20:44 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <5D3C2276FD64424297729EB733ED1F76062437F7@email1.mitretek.org> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: Content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: Alistair Tonner , netfilter@lists.netfilter.org Does anyone know how the data is processed? Does it perform a lookup if it is, ie: icmp,tcp,udp etc or does it store it in numeric form? -----Original Message----- From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Alistair Tonner Sent: Wednesday, June 02, 2004 11:14 AM To: netfilter@lists.netfilter.org Subject: Re: Destination Nat On June 2, 2004 07:19 am, John A. Sullivan III wrote: > -p 6 is the same as -p tcp only a little faster as it does not have to > look up tcp in the protocols file and translate it from tcp to 6. UDP > would be -p 17, ICMP -p 1, ESP -p 50, etc. That lookup would only be done when the rule was posted or loaded. Thus - the time saving is only on loading the rule. =20 I believe that the rule data is *all* stored in numeric form ... But I could be completely wrong on that front. Alistair. > > On Tue, 2004-06-01 at 23:38, John Black wrote: > > thanks, ill give it a try tomorrow when i get to work. what is the -p 6? > > ----- Original Message ----- > > From: John A. Sullivan III > > To: > > Cc: > > Sent: Friday, May 28, 2004 8:56 PM > > Subject: Re: Destination Nat > > > > > If I understand you correctly and remember your original rule, then I > > > think you have it backward. If you are changing the destination, you > > > probably want to change it from the public address to the private > > > address: > > > > john From mboxrd@z Thu Jan 1 00:00:00 1970 From: "black@arbbs.net" Subject: RE: Destination Nat Date: Fri, 04 Jun 2004 09:45:06 -0600 Sender: netfilter-admin@lists.netfilter.org Message-ID: <40c09902.2c9.1bbe.570207397@arbbs.net> Reply-To: black@arbbs.net Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: netfilter@lists.netfilter.org the rule set: iptables -t nat -A PREROUTING -d 5.6.7.8 -p 6 --dport 80 -j DNAT --to 192.168.x.x:80 worked perfectly thank you but i have a new question. i'm trying to setup so the users can access the machines through ssh. here is the rule set: iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp --dport 22 -j DNAT --to 192.168.1.88:22 the problem is when i ssh in to machine8 which is on static ipaddress 192.168.1.88 i actully log into machine1 which is 192.168.1.81, which is the first machine in the rule set. where did i go wrong? thanks john From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: RE: Destination Nat Date: Fri, 04 Jun 2004 12:14:34 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1086365674.15366.49.camel@localhost> References: <40c09902.2c9.1bbe.570207397@arbbs.net> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <40c09902.2c9.1bbe.570207397@arbbs.net> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: black@arbbs.net Cc: netfilter@lists.netfilter.org On Fri, 2004-06-04 at 11:45, black@arbbs.net wrote: > the rule set: > iptables -t nat -A PREROUTING -d 5.6.7.8 -p 6 --dport 80 -j > DNAT --to 192.168.x.x:80 worked perfectly > > thank you > > but i have a new question. i'm trying to setup so the users > can access the machines through ssh. > > here is the rule set: > iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp --dport 22 > -j DNAT --to 192.168.1.88:22 > > the problem is when i ssh in to machine8 which is on static > ipaddress 192.168.1.88 i actully log into machine1 which is > 192.168.1.81, which is the first machine in the rule set. > where did i go wrong? > > thanks > john What are the other rules? -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net From mboxrd@z Thu Jan 1 00:00:00 1970 From: "black@arbbs.net" Subject: RE: Destination Nat Date: Fri, 04 Jun 2004 10:14:21 -0600 Sender: netfilter-admin@lists.netfilter.org Message-ID: <40c09fdd.53.2397.470918728@arbbs.net> Reply-To: black@arbbs.net Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: netfilter@lists.netfilter.org > What are the other rules? iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp \ --dport 22 -j DNAT --to 192.168.1.81:22 iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp \ --dport 22 -j DNAT --to 192.168.1.82:22 iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp \ --dport 22 -j DNAT --to 192.168.1.83:22 iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp \ --dport 22 -j DNAT --to 192.168.1.88:22 john From mboxrd@z Thu Jan 1 00:00:00 1970 From: "John A. Sullivan III" Subject: RE: Destination Nat Date: Fri, 04 Jun 2004 12:44:45 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <1086367484.15357.53.camel@localhost> References: <40c09fdd.53.2397.470918728@arbbs.net> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <40c09fdd.53.2397.470918728@arbbs.net> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: black@arbbs.net Cc: netfilter@lists.netfilter.org On Fri, 2004-06-04 at 12:14, black@arbbs.net wrote: > > What are the other rules? > > iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp \ > --dport 22 -j DNAT --to 192.168.1.81:22 > > iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp \ > --dport 22 -j DNAT --to 192.168.1.82:22 > > iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp \ > --dport 22 -j DNAT --to 192.168.1.83:22 > > iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp \ > --dport 22 -j DNAT --to 192.168.1.88:22 > > john Well that does explain it! It will always choose the first matched rule. You cannot do what you have outlined here. Well . . . you can but it will behave exactly as you observed. There must be some distinguishing trait in the match portion of the rule to differentiate the rules -- a different public address, a different port, a different interface. You matches are all the same! -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net