Re: Plz i need help.... or i ll be fired :(

["John A. Sullivan III" <jsullivan@opensourcedevel.com>]

I made some assumptions about other rules you would have had in place.
I believe someone else posted a much more thorough answer.  Did you
create an ESTABLISHED,RELATED rule as that other post suggested?

Would you mind posting your complete rule set (with any sensitive
information edited, of course)? - John

On Tue, 2005-09-27 at 08:30 -0700, Alaios wrote:
> Thx for your quick reply..... i have just tested but
> it didnt work... I think that i cant explain what i
> need or i am doing sth wrong.. 
> i have enabled the packets loging
> so executing dmesg prints the following
> IN=eth1 OUT= MAC=(the mac addresses)
> As u can see the OUT is null which means thats perhaps
> the problem... What do u have in mind?
> 
> --- "John A. Sullivan III"
> <jsullivan@opensourcedevel.com> wrote:
> 
> > On Tue, 2005-09-27 at 11:14 -0400, John A. Sullivan
> > III wrote:
> > > On Tue, 2005-09-27 at 07:57 -0700, Alaios wrote:
> > > > Hi plz take a look at the following example
> > > > 
> > > > The laptop has 2 ethernet interfaces
> > > > To eth1 comes traffic from src 143.233.222.253
> > > > The eth0 has ip address 10.2.4.2 and it is
> > connected
> > > > back to back with eth1 of other pc with ip
> > address
> > > > 10.2.4.1
> > > > I want to forward the traffic with src
> > 143.233.222.253
> > > > to the 10.2.4.1 pc and if it works i will redo
> > this
> > > > for a second pc so as to l send the traffic to a
> > third
> > > > on.
> > > > Can u help me plz?
> > > > 
> > > > I have tried this one
> > > > iptables -t nat -A PREROUTING -i eth1 -s
> > > > 143.233.222.253 -j DNAT --to-destination
> > 10.2.4.1
> > > > i have also set the
> > > > /proc/sys/net/ipv4/ip_forward to 1
> > > > but still i cant see any trafiic to eth0
> > interface (ip
> > > > 10.2.4.2)
> > > > 
> > > > 
> > > > I have also tested this one
> > > > iptables -t nat -A PREROUTING -p tcp -d
> > 143.233.222.77
> > > > (laptop eth1 card) --dport 22453 (i have cheched
> > dst
> > > > port with tcpdump) 00 -j DNAT --to-destination
> > > > 10.2.4.1
> > > > this still doesnt work
> > > > Every time i try to apply a new rule i use first
> > > > the iptables -F
> > > > iptables -t nat -F command
> > > <snip>
> > > 
> > > I'm a little confused about what you are doing.  I
> > would normally refer
> > > you to Oskar Andreasson's excellent tutorial at
> > >
> >
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
> > or the
> > > training slides on the ISCS web site
> > (http://iscs.sourceforge.net) but,
> > > since it appears that you have an emergency, here
> > goes:
> > > 
> > > First, if the source is 143.233.222.253, you would
> > not want to DNAT it.
> > > DNAT changes the destination.  Thus, your second
> > attempt is the correct
> > > one.  You might want to lock the destination port
> > - it's not likely to
> > > be a problem but, if it ever is, it will be one of
> > those really hard to
> > > diagnose, sporadic problems:
> > > -j DNAT --to-destination 10.2.4.1:22453
> > > 
> > > Second, this only takes care of the addressing. 
> > You must still allow
> > > the traffic in the FORWARD chain of the filter
> > table, e.g., 
> > > 
> > > iptables -A FORWARD -d 10.2.4.1 -p 6 --dport 22453
> > -j ACCEPT
> > > 
> > > Hope this helps - John
> > 
> > Oh, yes, you wanted to restrict the source address. 
> > Add that to your
> > filter table rule:
> > iptables -A FORWARD -s 143.233.222.253 -d 10.2.4.1
> > -p 6 --dport 22453 -j
> > ACCEPT
> > -- 
> > John A. Sullivan III
> > Open Source Development Corporation
> > +1 207-985-7880
> > jsullivan@opensourcedevel.com
> > 
> > If you would like to participate in the development
> > of an open source
> > enterprise class network security management system,
> > please visit
> > http://iscs.sourceforge.net
> > 
> > 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com