* NAT FROM public ip TO public ip
@ 2005-01-07 4:36 Mario Ohnewald
2005-01-06 7:23 ` Igor Tsinman
0 siblings, 1 reply; 5+ messages in thread
From: Mario Ohnewald @ 2005-01-07 4:36 UTC (permalink / raw)
To: netfilter
Hello List!
This is a real easy question, but i will explain it in detail so that you
know what i am on about ;)
I have two internet boxes, both have only one nic.
Box A is my root box.
Box B is a ftp server (where i am not admin, but i have an ftp account).
Both, Box A and B have a public ip address.
You can NOT access the ftp server from the outside.
ONLY Box A can connect to that ftp server (Box B).
So i though i could simply nat a connection through my Box A, to Box B.
If i connect from the real bad world, to my Box A, port 2121. Box A could
forward/NAT that to the internal ftp box.
I have tried it with this rule:
$IPT -t nat -A PREROUTING -i eth0 -p tcp -d 123.123.123.123 -m helper
--helper ftp-2121 -j DNAT --to-destination 123.123.123.111
and
modprobe ip_conntrack_ftp ports=21,2121
But it looks like its not working.
I did a tcpdump -i eth0 -n host 123.123.123.111
And no packages where transfered to the ftp box (123.123.123.111).
Any idea why? Am i going the right way at all?
Thanks, Mario
--
+++ GMX - die erste Adresse für Mail, Message, More +++
1 GB Mailbox bereits in GMX FreeMail http://www.gmx.net/de/go/mail
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: NAT FROM public ip TO public ip
2005-01-07 4:36 NAT FROM public ip TO public ip Mario Ohnewald
@ 2005-01-06 7:23 ` Igor Tsinman
2005-01-07 12:57 ` Mario Ohnewald
0 siblings, 1 reply; 5+ messages in thread
From: Igor Tsinman @ 2005-01-06 7:23 UTC (permalink / raw)
To: Mario Ohnewald; +Cc: netfilter
Mario Ohnewald wrote:
>Hello List!
>
>This is a real easy question, but i will explain it in detail so that you
>know what i am on about ;)
>
>I have two internet boxes, both have only one nic.
>Box A is my root box.
>Box B is a ftp server (where i am not admin, but i have an ftp account).
>
>Both, Box A and B have a public ip address.
>You can NOT access the ftp server from the outside.
>ONLY Box A can connect to that ftp server (Box B).
>
>So i though i could simply nat a connection through my Box A, to Box B.
>If i connect from the real bad world, to my Box A, port 2121. Box A could
>forward/NAT that to the internal ftp box.
>
>I have tried it with this rule:
>$IPT -t nat -A PREROUTING -i eth0 -p tcp -d 123.123.123.123 -m helper
>--helper ftp-2121 -j DNAT --to-destination 123.123.123.111
>
>and
>
>modprobe ip_conntrack_ftp ports=21,2121
>
>
>But it looks like its not working.
>I did a tcpdump -i eth0 -n host 123.123.123.111
>
>
>And no packages where transfered to the ftp box (123.123.123.111).
>Any idea why? Am i going the right way at all?
>
>Thanks, Mario
>
>
>
You have to add an additional rule:
$IPT -A FORWARD -p tcp -i eth1 -d 23.123.123.123 --dport 2121 -j ACCEPT
For this example, eth0 is external and eth1 is internal.
Cheers,
Igor Tsinman
igort@gonetworks.com
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: NAT FROM public ip TO public ip
2005-01-06 7:23 ` Igor Tsinman
@ 2005-01-07 12:57 ` Mario Ohnewald
2005-01-08 8:43 ` Igor Tsinman
0 siblings, 1 reply; 5+ messages in thread
From: Mario Ohnewald @ 2005-01-07 12:57 UTC (permalink / raw)
To: netfilter
On Thu, 2005-01-06 at 08:23, Igor Tsinman wrote:
> Mario Ohnewald wrote:
> >This is a real easy question, but i will explain it in detail so that you
> >know what i am on about ;)
> >
> >I have two internet boxes, both have only one nic.
> >Box A is my root box.
> >Box B is a ftp server (where i am not admin, but i have an ftp account).
> >
> >Both, Box A and B have a public ip address.
> >You can NOT access the ftp server from the outside.
> >ONLY Box A can connect to that ftp server (Box B).
> >
> >So i though i could simply nat a connection through my Box A, to Box B.
> >If i connect from the real bad world, to my Box A, port 2121. Box A could
> >forward/NAT that to the internal ftp box.
> >
> >I have tried it with this rule:
> >$IPT -t nat -A PREROUTING -i eth0 -p tcp -d 123.123.123.123 -m helper
> >--helper ftp-2121 -j DNAT --to-destination 123.123.123.111
> >
> >and
> >
> >modprobe ip_conntrack_ftp ports=21,2121
> >
> >
> >But it looks like its not working.
> >I did a tcpdump -i eth0 -n host 123.123.123.111
> >
> >
> >And no packages where transfered to the ftp box (123.123.123.111).
> >Any idea why? Am i going the right way at all?
> >
> >Thanks, Mario
> >
> >
> >
> You have to add an additional rule:
> $IPT -A FORWARD -p tcp -i eth1 -d 23.123.123.123 --dport 2121 -j ACCEPT
>
> For this example, eth0 is external and eth1 is internal.
I only have one network card.
Cheers, Mario
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: NAT FROM public ip TO public ip
2005-01-07 12:57 ` Mario Ohnewald
@ 2005-01-08 8:43 ` Igor Tsinman
2005-01-09 22:17 ` Mario Ohnewald
0 siblings, 1 reply; 5+ messages in thread
From: Igor Tsinman @ 2005-01-08 8:43 UTC (permalink / raw)
To: Mario Ohnewald; +Cc: netfilter
Mario Ohnewald wrote:
>On Thu, 2005-01-06 at 08:23, Igor Tsinman wrote:
>
>
>>Mario Ohnewald wrote:
>>
>>
>
>
>
>>>This is a real easy question, but i will explain it in detail so that you
>>>know what i am on about ;)
>>>
>>>I have two internet boxes, both have only one nic.
>>>Box A is my root box.
>>>Box B is a ftp server (where i am not admin, but i have an ftp account).
>>>
>>>Both, Box A and B have a public ip address.
>>>You can NOT access the ftp server from the outside.
>>>ONLY Box A can connect to that ftp server (Box B).
>>>
>>>So i though i could simply nat a connection through my Box A, to Box B.
>>>If i connect from the real bad world, to my Box A, port 2121. Box A could
>>>forward/NAT that to the internal ftp box.
>>>
>>>I have tried it with this rule:
>>>$IPT -t nat -A PREROUTING -i eth0 -p tcp -d 123.123.123.123 -m helper
>>>--helper ftp-2121 -j DNAT --to-destination 123.123.123.111
>>>
>>>and
>>>
>>>modprobe ip_conntrack_ftp ports=21,2121
>>>
>>>
>>>But it looks like its not working.
>>>I did a tcpdump -i eth0 -n host 123.123.123.111
>>>
>>>
>>>And no packages where transfered to the ftp box (123.123.123.111).
>>>Any idea why? Am i going the right way at all?
>>>
>>>Thanks, Mario
>>>
>>>
>>>
>>>
>>>
>>You have to add an additional rule:
>>$IPT -A FORWARD -p tcp -i eth1 -d 23.123.123.123 --dport 2121 -j ACCEPT
>>
>>For this example, eth0 is external and eth1 is internal.
>>
>>
>
>I only have one network card.
>
>
>
>Cheers, Mario
>
>
>
>
>
See "DNAT forwarding on same interface":
http://lists.netfilter.org/pipermail/netfilter/2002-July/036620.html
Cheers, Igor Tsinman
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: NAT FROM public ip TO public ip
2005-01-08 8:43 ` Igor Tsinman
@ 2005-01-09 22:17 ` Mario Ohnewald
0 siblings, 0 replies; 5+ messages in thread
From: Mario Ohnewald @ 2005-01-09 22:17 UTC (permalink / raw)
To: Igor Tsinman; +Cc: netfilter
> Mario Ohnewald wrote:
>
> >On Thu, 2005-01-06 at 08:23, Igor Tsinman wrote:
> >
> >
> >>Mario Ohnewald wrote:
> >>>This is a real easy question, but i will explain it in detail so that
> you
> >>>know what i am on about ;)
> >>>
> >>>I have two internet boxes, both have only one nic.
> >>>Box A is my root box.
> >>>Box B is a ftp server (where i am not admin, but i have an ftp
> account).
> >>>
> >>>Both, Box A and B have a public ip address.
> >>>You can NOT access the ftp server from the outside.
> >>>ONLY Box A can connect to that ftp server (Box B).
> >>>
> >>>So i though i could simply nat a connection through my Box A, to Box B.
> >>>If i connect from the real bad world, to my Box A, port 2121. Box A
> could
> >>>forward/NAT that to the internal ftp box.
> >>>
> >>>I have tried it with this rule:
> >>>$IPT -t nat -A PREROUTING -i eth0 -p tcp -d 123.123.123.123 -m helper
> >>>--helper ftp-2121 -j DNAT --to-destination 123.123.123.111
> >>>
> >>>and
> >>>
> >>>modprobe ip_conntrack_ftp ports=21,2121
> >>>
> >>>
> >>>But it looks like its not working.
> >>>I did a tcpdump -i eth0 -n host 123.123.123.111
> >>>
> >>>
> >>>And no packages where transfered to the ftp box (123.123.123.111).
> >>>Any idea why? Am i going the right way at all?
> >>>
> >>>Thanks, Mario
> >>>
> >>>
> >>>
> >>>
> >>>
> >>You have to add an additional rule:
> >>$IPT -A FORWARD -p tcp -i eth1 -d 23.123.123.123 --dport 2121 -j ACCEPT
> >>
> >>For this example, eth0 is external and eth1 is internal.
> >>
> >>
> >
> >I only have one network card.
> >
> See "DNAT forwarding on same interface":
> http://lists.netfilter.org/pipermail/netfilter/2002-July/036620.html
i have this rule now:
iptables -A PREROUTING -t nat -d host_A -p tcp --dport 2121 -j DNAT --to
host_B
iptables -A POSTROUTING -t nat -d host_B -p tcp --dport 2121 -j SNAT --to
host_A
when i try to redirect it to port 21 (see below), too. Then the packet gets
dropped somehow:
iptables -A PREROUTING -t nat -d host_A -p tcp --dport 2121 -j DNAT --to
host_B:21
What do i need to change in my rule, to redirect it to port 21 from 2121?
Cheers, Mario
--
+++ Sparen Sie mit GMX DSL +++ http://www.gmx.net/de/go/dsl
AKTION für Wechsler: DSL-Tarife ab 3,99 EUR/Monat + Startguthaben
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2005-01-09 22:17 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-01-07 4:36 NAT FROM public ip TO public ip Mario Ohnewald
2005-01-06 7:23 ` Igor Tsinman
2005-01-07 12:57 ` Mario Ohnewald
2005-01-08 8:43 ` Igor Tsinman
2005-01-09 22:17 ` Mario Ohnewald
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.