dnat problem in transparent firewall

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Raido Kurel <raido@elin.ttu.ee>
To: netfilter@lists.netfilter.org
Subject: dnat problem in transparent firewall
Date: Tue, 3 Aug 2004 14:36:08 +0300	[thread overview]
Message-ID: <200408031436.08494.raido@elin.ttu.ee> (raw)

Hello!

I want to change destination ip in incoming packets. If someone has time to 
answer, read on... In OpenBSD it worked automatically in same hardware 
configuration, just
rdr on xl0 from any to aaa.aaa.aaa.12 -> aaa.aaa.aaa.13
to /etc/pf.rules and thats all.

Configuration:
|LAN|---|ROUTER|---|TRANSPARENT FIREWALL|--|INTERNET GATEWAY|
LAN network: aaa.aaa.aaa.xxx/24
|ROUTER|: integrated into LAN switch
|TRANSPARENT FIREWALL|: a Linux 2.6.x box with iptables 1.2.9
ebtables 2.0.6. without IP's on traffic interfaces br0=eth1+eth2

router-internet gateway network: aaa.aaa.bbb.cdx/31

Needs:
To change destination IP of some packets coming from Internet. ie to change 
dastination IP from aaa.aaa.aaa.12 to aaa.aaa.aaa.13

What I have done:
iptables rule:

iptables -t nat -A PREROUTING -d aaa.aaa.aaa.12 -j DNAT --to-dest 
aaa.aaa.aaa.13

I thought, that this should do it, but it is not working. If I add this rule, 
the incoming packet is dropped in this rule.
For example:

if I log traffic and then change destination ip, I see traffic:

iptables -t nat -A PREROUTING -j LOG
iptables -t nat -A PREROUTING -d aaa.aaa.aaa.12 -j DNAT --to-dest 
aaa.aaa.aaa.13

If I try to change destination IP and then log, I do not see traffic:

iptables -t nat -A PREROUTING -d aaa.aaa.aaa.12 -j DNAT --to-dest 
aaa.aaa.aaa.13
iptables -t nat -A PREROUTING -j LOG

Seems like destination ip rule swollows packet. What could be wrong or is 
there other means to acomplish what I need?

Thanks,
Raido

next             reply	other threads:[~2004-08-03 11:36 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-08-03 11:36 Raido Kurel [this message]
2004-08-03 12:33 ` dnat problem in transparent firewall Antony Stone
  -- strict thread matches above, loose matches on Subject: below --
2004-08-04  7:10 Raido Kurel
2004-08-04  8:45 ` Antony Stone
2004-08-04 11:14   ` Raido Kurel
2004-08-04 11:30     ` Antony Stone
2004-08-04 12:05       ` Raido Kurel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200408031436.08494.raido@elin.ttu.ee \
    --to=raido@elin.ttu.ee \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.