Re: Destination Nat

Re: Destination Nat

[black]

would it be 8080 or 80? the web server has a static ip
address
on the inside 192.168.x.x

> That will direct all 80 /tcp packets for all addresses the
> station listens on to 5.6.7.8:8080? Is that what you want
> or do you want to redirect packets with a specific
> destination address? If the public Internet address is not
> an IP address bound to the NAT gateway, then you will need
> to add it, typically: ip address add 1.1.1.2/24 dev eth0
> brd + 

john

Re: Destination Nat

[John A. Sullivan III]

If I understand you correctly and remember your original rule, then I
think you have it backward.  If you are changing the destination, you
probably want to change it from the public address to the private
address:

iptables -t nat -A PREROUTING -d 5.6.7.8 -p 6 --dport 8080 -j DNAT
--to-destination 192.168.x.x:80

Remember to ensure that traffic to 192.168.x.x:80 is allowed on the
FORWARD chain and that the NAT gateway responds to ARPs for 5.6.7.8 -
John

On Fri, 2004-05-28 at 10:18, black@arbbs.net wrote:
> would it be 8080 or 80? the web server has a static ip
> address
> on the inside 192.168.x.x
> 
> > That will direct all 80 /tcp packets for all addresses the
> > station listens on to 5.6.7.8:8080? Is that what you want
> > or do you want to redirect packets with a specific
> > destination address? If the public Internet address is not
> > an IP address bound to the NAT gateway, then you will need
> > to add it, typically: ip address add 1.1.1.2/24 dev eth0
> > brd + 
> 
> john
-- 
Open Source Development Corporation
Financially Sustainable open source development
http://www.opensourcedevelopmentcorp.com

Re: Destination Nat

[John Black]

thanks, ill give it a try tomorrow when i get to work.  what is the -p 6?
----- Original Message ----- 
From: John A. Sullivan III <john.sullivan@nexusmgmt.com>
To: <black@arbbs.net>
Cc: <netfilter@lists.netfilter.org>
Sent: Friday, May 28, 2004 8:56 PM
Subject: Re: Destination Nat


> If I understand you correctly and remember your original rule, then I
> think you have it backward.  If you are changing the destination, you
> probably want to change it from the public address to the private
> address:
> 

john

Re: Destination Nat

[John A. Sullivan III]

-p 6 is the same as -p tcp only a little faster as it does not have to
look up tcp in the protocols file and translate it from tcp to 6.  UDP
would be -p 17, ICMP -p 1, ESP -p 50, etc.

On Tue, 2004-06-01 at 23:38, John Black wrote:
> thanks, ill give it a try tomorrow when i get to work.  what is the -p 6?
> ----- Original Message ----- 
> From: John A. Sullivan III <john.sullivan@nexusmgmt.com>
> To: <black@arbbs.net>
> Cc: <netfilter@lists.netfilter.org>
> Sent: Friday, May 28, 2004 8:56 PM
> Subject: Re: Destination Nat
> 
> 
> > If I understand you correctly and remember your original rule, then I
> > think you have it backward.  If you are changing the destination, you
> > probably want to change it from the public address to the private
> > address:
> > 
> 
> john
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: Destination Nat

[John Black]

okay,
thank you


> -p 6 is the same as -p tcp only a little faster as it does not have to
> look up tcp in the protocols file and translate it from tcp to 6.  UDP
> would be -p 17, ICMP -p 1, ESP -p 50, etc.
> 

Re: Destination Nat

[Alistair Tonner]

On June 2, 2004 07:19 am, John A. Sullivan III wrote:
> -p 6 is the same as -p tcp only a little faster as it does not have to
> look up tcp in the protocols file and translate it from tcp to 6.  UDP
> would be -p 17, ICMP -p 1, ESP -p 50, etc.

	That lookup would only be done when the rule was posted or loaded.
	Thus - the time saving is only on loading the rule.  
	I believe that the rule data is *all* stored in numeric form ...
	But I could be completely wrong on that front.

	Alistair.
>
> On Tue, 2004-06-01 at 23:38, John Black wrote:
> > thanks, ill give it a try tomorrow when i get to work.  what is the -p 6?
> > ----- Original Message -----
> > From: John A. Sullivan III <john.sullivan@nexusmgmt.com>
> > To: <black@arbbs.net>
> > Cc: <netfilter@lists.netfilter.org>
> > Sent: Friday, May 28, 2004 8:56 PM
> > Subject: Re: Destination Nat
> >
> > > If I understand you correctly and remember your original rule, then I
> > > think you have it backward.  If you are changing the destination, you
> > > probably want to change it from the public address to the private
> > > address:
> >
> > john

RE: Destination Nat

[black]

> What are the other rules?

iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp \
 --dport 22 -j DNAT --to 192.168.1.81:22

iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp \
 --dport 22 -j DNAT --to 192.168.1.82:22

iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp \
 --dport 22 -j DNAT --to 192.168.1.83:22

iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp \
 --dport 22 -j DNAT --to 192.168.1.88:22

john

RE: Destination Nat

[John A. Sullivan III]

On Fri, 2004-06-04 at 12:14, black@arbbs.net wrote:
> > What are the other rules?
> 
> iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp \
>  --dport 22 -j DNAT --to 192.168.1.81:22
> 
> iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp \
>  --dport 22 -j DNAT --to 192.168.1.82:22
> 
> iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp \
>  --dport 22 -j DNAT --to 192.168.1.83:22
> 
> iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp \
>  --dport 22 -j DNAT --to 192.168.1.88:22
> 
> john
Well that does explain it! It will always choose the first matched
rule.  You cannot do what you have outlined here. Well . . . you can but
it will behave exactly as you observed.  There must be some
distinguishing trait in the match portion of the rule to differentiate
the rules -- a different public address, a different port, a different
interface.  You matches are all the same!
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

RE: Destination Nat

[black]

the rule set:
iptables -t nat -A PREROUTING -d 5.6.7.8 -p 6 --dport 80 -j
DNAT --to 192.168.x.x:80 worked perfectly

thank you

but i have a new question.  i'm trying to setup so the users
can access the machines through ssh.  

here is the rule set:
iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp --dport 22
-j DNAT --to 192.168.1.88:22

the problem is when i ssh in to machine8 which is on static
ipaddress 192.168.1.88 i actully log into machine1 which is
192.168.1.81, which is the first machine in the rule set. 
where did i go wrong?

thanks
john 

RE: Destination Nat

[John A. Sullivan III]

On Fri, 2004-06-04 at 11:45, black@arbbs.net wrote:
> the rule set:
> iptables -t nat -A PREROUTING -d 5.6.7.8 -p 6 --dport 80 -j
> DNAT --to 192.168.x.x:80 worked perfectly
> 
> thank you
> 
> but i have a new question.  i'm trying to setup so the users
> can access the machines through ssh.  
> 
> here is the rule set:
> iptables -t nat -A PREROUTING -d 5.6.7.8 -p tcp --dport 22
> -j DNAT --to 192.168.1.88:22
> 
> the problem is when i ssh in to machine8 which is on static
> ipaddress 192.168.1.88 i actully log into machine1 which is
> 192.168.1.81, which is the first machine in the rule set. 
> where did i go wrong?
> 
> thanks
> john 
What are the other rules?
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

RE: Destination Nat

[Piszcz, Justin Michael]

Does anyone know how the data is processed?
Does it perform a lookup if it is, ie: icmp,tcp,udp etc or does it store
it in numeric form?

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Alistair
Tonner
Sent: Wednesday, June 02, 2004 11:14 AM
To: netfilter@lists.netfilter.org
Subject: Re: Destination Nat

On June 2, 2004 07:19 am, John A. Sullivan III wrote:
> -p 6 is the same as -p tcp only a little faster as it does not have to
> look up tcp in the protocols file and translate it from tcp to 6.  UDP
> would be -p 17, ICMP -p 1, ESP -p 50, etc.

	That lookup would only be done when the rule was posted or
loaded.
	Thus - the time saving is only on loading the rule.  
	I believe that the rule data is *all* stored in numeric form ...
	But I could be completely wrong on that front.

	Alistair.
>
> On Tue, 2004-06-01 at 23:38, John Black wrote:
> > thanks, ill give it a try tomorrow when i get to work.  what is the
-p 6?
> > ----- Original Message -----
> > From: John A. Sullivan III <john.sullivan@nexusmgmt.com>
> > To: <black@arbbs.net>
> > Cc: <netfilter@lists.netfilter.org>
> > Sent: Friday, May 28, 2004 8:56 PM
> > Subject: Re: Destination Nat
> >
> > > If I understand you correctly and remember your original rule,
then I
> > > think you have it backward.  If you are changing the destination,
you
> > > probably want to change it from the public address to the private
> > > address:
> >
> > john

Destination Nat

[black]

Im running at red hat 9 and iptables 1.2.7

im trying to direct web traffic to the web server on the
inside.  
is [ iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0
 -j DNAT --to 5.6.7.8:8080 ] right?

thanks
john

Re: Destination Nat

[John A. Sullivan III]

On Fri, 2004-05-28 at 09:46, black@arbbs.net wrote:
> Im running at red hat 9 and iptables 1.2.7
> 
> im trying to direct web traffic to the web server on the
> inside.  
> is [ iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0
>  -j DNAT --to 5.6.7.8:8080 ] right?
> 
> thanks
> john
That will direct all 80 /tcp packets for all addresses the station
listens on to 5.6.7.8:8080? Is that what you want or do you want to
redirect packets with a specific destination address?
If the public Internet address is not an IP address bound to the NAT
gateway, then you will need to add it, typically:
ip address add 1.1.1.2/24 dev eth0 brd +
Finally, NAT is not access control.  Once the packeted hits the filter
chain, you will need something, default policy or, preferable a rule,
which allows access to 5.6.7.8 on TCP port 8080.  Hope that helps - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Destination NAT

[Ale Zeta]

Can I address an UDP packet to more than one IP address at the same time ??

I have   iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8-5.6.7.10 
  as an example, but I want to send the packets to both 7.8 and also 7.10 
and not doing the load balancing thing....

Is it possible to do ???


From Buenos Aires, Argentina.


Alex.-

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. 
http://join.msn.com/?page=features/virus

Destination NAT

[Alejandro Zaidel]

Can I address a packet to more than one IP address at the same time ??

I have   iptables -t nat -A PREROUTING -i eth1 -j DNAT --to 5.6.7.8-5.6.7.10  as an example, but I want to send the packets to both 7.8 and also 7.10

Is it possible to do ???


From Buenos Aires, Argentina.


Alex.-

La informacion contenida en este correo es para uso exclusivo de los destinatarios del mismo.
Esta prohibido a las personas o entidades que no sean los destinatarios de este correo
realizar cualquier tipo de modificacion, copia o distribucion del mismo.
Si Usted recibe este correo por error tenga bien notificar al emisor y eliminarlo.

Re: Destination NAT

[Antony Stone]

On Wednesday 28 January 2004 2:21 pm, Alejandro Zaidel wrote:

> Can I address a packet to more than one IP address at the same time ??
>
> I have   iptables -t nat -A PREROUTING -i eth1 -j DNAT --to
> 5.6.7.8-5.6.7.10  as an example, but I want to send the packets to both 7.8
> and also 7.10
>
> Is it possible to do ???

No.   You cannot use netfilter to create duplicates of packets.   Netfilter 
will perform various operations on the packets which exit, but it won't make 
multiple versions of what was originally one packet.

Regards,

Antony.

-- 
There are two possible outcomes:

 If the result confirms the hypothesis, then you've made a measurement.
 If the result is contrary to the hypothesis, then you've made a discovery.

 - Enrico Fermi

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Destination NAT

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 959 bytes --]

On Thu, 2004-01-29 at 11:13, Antony Stone wrote:
> On Wednesday 28 January 2004 2:21 pm, Alejandro Zaidel wrote:
> 
> > Can I address a packet to more than one IP address at the same time ??
> >
> > I have   iptables -t nat -A PREROUTING -i eth1 -j DNAT --to
> > 5.6.7.8-5.6.7.10  as an example, but I want to send the packets to both 7.8
> > and also 7.10
> >
> > Is it possible to do ???
> 
> No.   You cannot use netfilter to create duplicates of packets.   Netfilter 
> will perform various operations on the packets which exit, but it won't make 
> multiple versions of what was originally one packet.
> 
With the exception of the MIRROR patch ...

> Regards,
> 
> Antony.
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Destination NAT

[Antony Stone]

On Thursday 29 January 2004 9:47 am, Ray Leach wrote:

> On Thu, 2004-01-29 at 11:13, Antony Stone wrote:
> >
> > No.   You cannot use netfilter to create duplicates of packets.  
> > Netfilter will perform various operations on the packets which exit, but
> > it won't make multiple versions of what was originally one packet.
>
> With the exception of the MIRROR patch ...

But even that only creates one packet out in response to one packet in (I 
think?).

Antony.

-- 
G- GIT/E d- s+:--(-) a+ C++++$ UL++++$ P+(---)>++ L+++(++++)$ !E W(-) N(-) o? 
w-- O !M V+++(--) !PS !PE Y+ PGP+> t- tv@ b+++ DI++ D--- e++>+++ h++ r@? 5? 
!X- !R K--?

                                                     Please reply to the list;
                                                           please don't CC me.

Destination NAT

[Sathi]

[-- Attachment #1: Type: text/plain, Size: 770 bytes --]

Hello All,

I am running squid as reverse proxy and its working fine.

Now i need to set iptables rules to forward ftp ports directly to backend server for file upload.

I set in prerouting rule as

/sbin/iptables -t nat -A PREROUTING -p tcp --dport 20 -d 172.16.1.10 -j DNAT --to 172.16.1.25
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 21 -d 172.16.1.10 -j DNAT --to 172.16.1.25

Note: Reverse proxy and backend servers are running in same network.and by reverse proxy has only one network interface.

but i was not able to connect to backend server.

In tcpdump i can see a request from client to squid server but it is not forwarding to backend server.

What is the correct rule to forward the ftp ports to backend server.

Regards,
Sathi

[-- Attachment #2: Type: text/html, Size: 1566 bytes --]