question about -t nat

question about -t nat

[Postmaster]

hello list-users,

i want clean up my pre- and postrouting chains with rules like this:

iptables -t nat -A PREROUTING -i eth0 -j first_group
iptables -t nat -A PREROUTING -i eth1 -j second_group

iptables -t nat first_group -s a.b.c.d -d x/y -p tcp --sport
1024:65535 --dport 10001 -j DNAT --to-destination 1.2.3.4:25
iptables -t nat second_group -s a.b.c.d -d x/y -p tcp --sport
1024:65535 --dport 10002 -j DNAT --to-destination 4.5.6.7:25

is there any modul which makes this possible?


best regards

Jan

Re: question about -t nat

[John A. Sullivan III]

On Sat, 2004-06-19 at 12:46, Postmaster wrote:
> hello list-users,
> 
> i want clean up my pre- and postrouting chains with rules like this:
> 
> iptables -t nat -A PREROUTING -i eth0 -j first_group
> iptables -t nat -A PREROUTING -i eth1 -j second_group
> 
> iptables -t nat first_group -s a.b.c.d -d x/y -p tcp --sport
> 1024:65535 --dport 10001 -j DNAT --to-destination 1.2.3.4:25
> iptables -t nat second_group -s a.b.c.d -d x/y -p tcp --sport
> 1024:65535 --dport 10002 -j DNAT --to-destination 4.5.6.7:25
> 
> is there any modul which makes this possible?
<snip>
I'm not sure I see the problem other than adding an action to the user
defined chain rules such as -A or -I - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: question about -t nat

[Postmaster]

shurely, i buy an -A ;)
i'm so excited because of formula one in indy. but my question still
remains.

best regards

Jan

Re: question about -t nat

[John A. Sullivan III]

On Sat, 2004-06-19 at 13:57, Postmaster wrote:
> shurely, i buy an -A ;)
> i'm so excited because of formula one in indy. but my question still
> remains.
> 
> best regards
> 
> Jan
But what, exactly, is the question?
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: question about -t nat

[Postmaster]

> But what, exactly, is the question?

I'm not sure after your question. The following error "iptables: target
problem" comes, if i enter this rule in a user-chain:
iptables -t nat -A first_group -s a.b.c.d -d x/y -p tcp --dport 10001  \
-j DNAT --to-destination 1.2.3.4:25

her are my version and modules:
uname -r --> 2.4.20
iptables -V --> v1.2.8
lsmod --> ipt_REJECT
ipt_REDIRECT
ipt_limit
ipt_LOG
ipt_multiport
ipt_state
ipt_MASQUERADE
iptable_filter
iptable_nat
ip_conntrack_ftp
ip_conntrack
ip_tables

after your asks i made a test on a other maschine. what an miracle, the same
rule works fine. and here my question again. what kind of modul is missing
to me?

best regards

Jan

Re: question about -t nat

[John A. Sullivan III]

On Sat, 2004-06-19 at 15:54, Postmaster wrote:
> > But what, exactly, is the question?
> 
> I'm not sure after your question. The following error "iptables: target
> problem" comes, if i enter this rule in a user-chain:
> iptables -t nat -A first_group -s a.b.c.d -d x/y -p tcp --dport 10001  \
> -j DNAT --to-destination 1.2.3.4:25
> 
> her are my version and modules:
> uname -r --> 2.4.20
> iptables -V --> v1.2.8
> lsmod --> ipt_REJECT
> ipt_REDIRECT
> ipt_limit
> ipt_LOG
> ipt_multiport
> ipt_state
> ipt_MASQUERADE
> iptable_filter
> iptable_nat
> ip_conntrack_ftp
> ip_conntrack
> ip_tables
> 
> after your asks i made a test on a other maschine. what an miracle, the same
> rule works fine. and here my question again. what kind of modul is missing
> to me?
> 
> best regards
> 
> Jan
Hmmm . . . I'll have to defer to others who know more about modules.  I
always compile mine as part of the kernel just in case.  I see the
iptable_nat so I'm not sure what's missing.  Is there any chance the
userland tools are mismatched to the kernel?
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: question about -t nat

[Daniel Wittenberg]

On Sat, 2004-06-19 at 17:18, John A. Sullivan III wrote:
> On Sat, 2004-06-19 at 15:54, Postmaster wrote:
> > > But what, exactly, is the question?
> > 
> > I'm not sure after your question. The following error "iptables: target
> > problem" comes, if i enter this rule in a user-chain:
> > iptables -t nat -A first_group -s a.b.c.d -d x/y -p tcp --dport 10001  \
> > -j DNAT --to-destination 1.2.3.4:25

DNAT target can only be used with PREROUTING and OUTPUT.

Dan

Re: question about -t nat

[John A. Sullivan III]

On Sat, 2004-06-19 at 18:40, Daniel Wittenberg wrote:
> On Sat, 2004-06-19 at 17:18, John A. Sullivan III wrote:
> > On Sat, 2004-06-19 at 15:54, Postmaster wrote:
> > > > But what, exactly, is the question?
> > > 
> > > I'm not sure after your question. The following error "iptables: target
> > > problem" comes, if i enter this rule in a user-chain:
> > > iptables -t nat -A first_group -s a.b.c.d -d x/y -p tcp --dport 10001  \
> > > -j DNAT --to-destination 1.2.3.4:25
> 
> DNAT target can only be used with PREROUTING and OUTPUT.
> 
> Dan
Thankfully, that is not true! I just about had a heart attack because we
make heavy use of DNAT outside of PREROUTING and OUTPUT in the automatic
NAT configuration facility of the ISCS project
(http://iscs.sourceforge.net).  I've just tested it and, indeed, DNAT
can be used in user created chains as long as those chains are in the
nat table.  Of course, if Postmaster's first_group chain is not in the
nat table, that would be a problem :-)  - John
-- 
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevelopmentcorp.com

Re: question about -t nat

[Postmaster]

> Hmmm . . . I'll have to defer to others who know more about modules.  I
> always compile mine as part of the kernel just in case.  I see the
> iptable_nat so I'm not sure what's missing.  Is there any chance the
> userland tools are mismatched to the kernel?
> -- 

unfortunately not. otherwise i could change something. both machines are
clean and selfmade from scratch.
the differential of the second mashine is the kernelversion 2.4.22 with
CONFIG_KMOD --> y. but on the real firewall i wont do anything automaticly.
on a third mashine kernel 2.4.26, iptables 1.2.9 and all of modules are
build in kernel, a rule with DNAT in a userchain also wont work. i believe
nearly in an error on the second mashine :(

Jan

Re: question about -t nat

[Jan Brand (Postmaster)]

it realy looks like an error. on an fourth mashine ( i have to much
mashines) my rule works fine too. and i think i have the answer. the first
and the fourth mashine, both have CONFIG_KMOD --> y. i hope there is an
other way as made an new kernel.

best regards

Jan