Re: DNAT onto the same external network

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Örjan Persson" <"o.p+S.P.A.M."@fobie.net>
To: netfilter@lists.netfilter.org
Subject: Re: DNAT onto the same external network
Date: Tue, 9 Dec 2003 17:44:00 +0100	[thread overview]
Message-ID: <20031209164400.GA11252@fobie.net> (raw)
In-Reply-To: <20031209021907.GA24265@fobie.net>

Hello again,

In the case that this mail reaches the mailing list I would just like to
answer my own question. I had misunderstood the SNAT command, and to get
this correct you/me need to change the IP's in the SNAT command. (This
since this rule is for the reply FROM the source host which has been
routed to with the DNAT command)

>
> ## Destination NAT Onto the Same Network
> iptables -t nat -A POSTROUTING -d 111.222.333.13 -s 0.0.0.0/0 \
>         -p tcp --dport 2525 -j SNAT --to 111.222.333.16

In this case this would've been -d 111.222.333.16 and --to ...13.

Cheers,
Örjan

Örjan Persson (o.p+S.P.A.M.@fobie.net) wrote:
> Hello,
> 
> I'm trying to redirect all SMTP-connections to one external host to
> another external host. Both these exists on the same subnet which, if
> I've understood it correctly, equals to trouble. ;)
> 
> So, reading through the NAT HOWTO and lots of questions to this list
> I've tried most of things but unfortunate it doesn't work.
> 
> For testing purposes I use port 2525 on first host before taking the
> mail-service on that host down permanent.
> 
> This is todays situation; trying to redirect ...13:2525 to ...16:25.
>                 [ net ]
>             ´           `
>     111.222.333.13   111.222.333.16
>     These are external IP's, there's no internal network.
> 
> I'm currently using Debian Woody (iptables v1.2.6a) with a freshly
> compiled kernel 2.4.18 with NAT support.
> 
> The rules I think is the onces that *should* work is these:
> 
> ## Change destination addresses of mail traffic to 111.222.333.16, port 25.
> iptables -t nat -A PREROUTING -p tcp --dport 2525 -i eth0 \
> 	-j DNAT --to 111.222.333.16:25
> 
> ## Destination NAT Onto the Same Network
> iptables -t nat -A POSTROUTING -d 111.222.333.13 -s 0.0.0.0/0 \
>         -p tcp --dport 2525 -j SNAT --to 111.222.333.16
> 
> These are also the only rules that currently exists on the machine. If I
> then use these and connect from the subnet 111.222.333.0/24 the SNAT
> packet counter increases, connecting from another subnet increases the
> DNAT counter.
> 
> Tracing these with tcpdump shows this output:
> [ 111.222.333.13 / mail1.myhostname.com ]
> 03:04:43.451436 externalhost.com.35736 > mail1.myhostname.com.333.222.111.in-addr.arpa.2525: S 684181285:684181285(0) win 5840 <mss 1460,sackOK,timestamp 961920999 0,nop,wscale 0> (DF) [tos 0x60]
> 03:04:43.451538 externalhost.com.35736 > mail2.myhostname.com.smtp: S 684181285:684181285(0) win 5840 <mss 1460,sackOK,timestamp 961920999 0,nop,wscale 0> (DF) [tos 0x60]
> [...]
> 
> [ 111.222.333.16 / mail2.myhostname.com ]
> 04:44:46.087439 externalhost.com.35735 > mail2.myhostname.com.smtp: S 654494669:654494669(0) win 5840 <mss 1460,sackOK,timestamp 961920329 0,nop,wscale 0> (DF) [tos 0x60]
> 04:44:46.087480 mail2.myhostname.com.smtp > externalhost.com.35735: S 2345893112:2345893112(0) ack 654494670 win 5792 <mss 1460,sackOK,timestamp 124930458 961920329,nop,wscale 0> (DF)
> 04:44:46.087705 externalhost.com.35735 > mail2.myhostname.com.smtp: R 654494670:654494670(0) win 32120 [tos 0x60]
> 04:44:46.087923 111.222.333.1 > mail2.myhostname.com: icmp: redirect myexternalhost.com to host 111.222.333.18
> [...]
> 
> I don't know why it says icmp: redirect to a host with .18, that's not a
> host I know of. Anyway, this is what my iptables -L -v -n -t nat says:
> Chain PREROUTING (policy ACCEPT 17228 packets, 677K bytes)
>  pkts bytes target     prot opt in     out     source               destination
>     3   180 DNAT       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0          tcp dpt:2525 to:111.222.333.16:25
> 
> Chain POSTROUTING (policy ACCEPT 2106 packets, 132K bytes)
>  pkts bytes target     prot opt in     out     source               destination
>     1    60 SNAT       tcp  --  *      *       0.0.0.0/0            111.222.333.13       tcp dpt:2525 to:111.222.333.16
> 
> Chain OUTPUT (policy ACCEPT 2081 packets, 131K bytes)
>  pkts bytes target     prot opt in     out     source               destination
> 
> Any ideas, what so ever, will be glady recieved!
> 
> Thanks in advance,
> Örjan

     prev parent reply	other threads:[~2003-12-09 16:44 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-12-09  2:19 DNAT onto the same external network Örjan Persson
2003-12-09 16:44 ` Örjan Persson [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20031209164400.GA11252@fobie.net \
    --to="o.p+s.p.a.m."@fobie.net \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.