Forwarding a port on the LAN

Forwarding a port on the LAN

[Internet Protocol version Six]

I want to forward a connection to the router (192.168.0.1:1600) to 192.168.0.2:23 which from the Internet works fine, however if I connect from a LAN machine (192.168.0.3) to the router on port 1600 I get a "Connection timed out". I use the following rule:

iptables -I PREROUTING -t nat -p tcp --dport 1600 -j DNAT --to 192.168.0.2:23

I don't see anything wrong with this, or am I forgetting something?

wkg,

-----------------------------------------------------
Mail.be, WebMail and Virtual Office
http://www.mail.be

Re: Forwarding a port on the LAN

[Ramin Dousti]

Just follow the packet flow and you'll see what's happening.

192.168.0.3:whatever sends SYN to 192.168.0.1:1600

the packet gets DNAT'ed and becomes:

192.168.0.3:whatever sends SYN to 192.168.0.2:23

192.168.0.2:23 sends the SYN,ACK to 192.168.0.3:whatever which sits on the
same LAN and does not go through the router to get corrected to its original
state. You need to SNAT the LAN communication to the router's IP to ensure
the return path back to the router.

This is a VFAQ and needs to be explained in the basic Nat HOW-TO of netfilter,
if it's already not there...

Ramin

On Sun, Jul 06, 2003 at 06:42:00AM +0200, Internet Protocol version Six wrote:

> I want to forward a connection to the router (192.168.0.1:1600) to 192.168.0.2:23 which from the Internet works fine, however if I connect from a LAN machine (192.168.0.3) to the router on port 1600 I get a "Connection timed out". I use the following rule:
> 
> iptables -I PREROUTING -t nat -p tcp --dport 1600 -j DNAT --to 192.168.0.2:23
> 
> I don't see anything wrong with this, or am I forgetting something?
> 
> wkg,
> 
> -----------------------------------------------------
> Mail.be, WebMail and Virtual Office
> http://www.mail.be
> 

RE: Forwarding a port on the LAN

[George Vieira]

if your going from LAN to LAN and want a port redirect to another machine on the LAN there is one important thing to remember.
When you connect to port 1600 on the router, this would rewrite the destination address to the internal port 23 machine which is fine, the problem is the return packet which is still marked with the original senders address.
The machine on port 23 will return directly to you and not back via the router which your machine will respond by dropping the packet as there's no internal tracking for it.

In basic words, write a POSTROUTE and SNAT/MASQ the internal LAN source address to be the router so it goes back via the router and connection tracking returns it to the sender.

Problems with this will be that the machine on port 23 will always see the router no matter how many other machines on the LAN telnet to 192.168.0.1:1600. All connections will appear from the router... much like an external website sees normal MASQUERADEd clients behind a firewall.

Hope this info helps.

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au
 

-----Original Message-----
From: Internet Protocol version Six [mailto:inet6@mail.be]
Sent: Sunday, July 06, 2003 2:42 PM
To: netfilter@lists.netfilter.org
Subject: Forwarding a port on the LAN


I want to forward a connection to the router (192.168.0.1:1600) to 192.168.0.2:23 which from the Internet works fine, however if I connect from a LAN machine (192.168.0.3) to the router on port 1600 I get a "Connection timed out". I use the following rule:

iptables -I PREROUTING -t nat -p tcp --dport 1600 -j DNAT --to 192.168.0.2:23

I don't see anything wrong with this, or am I forgetting something?

wkg,

-----------------------------------------------------
Mail.be, WebMail and Virtual Office
http://www.mail.be