forwarding to an external ip

All of lore.kernel.org
 help / color / mirror / Atom feed

* forwarding to an external ip
@ 2005-01-12 17:09 Roderik van Heijst
  2005-01-13 16:21 ` Jason Opperisano
  2005-01-13 16:22 ` Samuel Jean
  0 siblings, 2 replies; 3+ messages in thread
From: Roderik van Heijst @ 2005-01-12 17:09 UTC (permalink / raw)
  To: netfilter

hi there,

i spent the whole day (which sucks btw :( ) trying to figure out how to
forward 62.131.95.133:4321 (phex) to 131.155.228.4:1111 (orion). Quickly said, after 6
hours (which is too long IMHO) i got it to work. However, phex was just
for testing and i want it to work on 80.69.73.147 (boron) so i figured - if i
copied the complete setup of iptables at phex to boron, it should do the same. 

... Nopez. Honestly, I can't understand what's making the difference .. must be due to
different kernels, but this is user-space right .. should work the same?
I'm sorry if i sound frustrated, but i am.

iptables -F
iptables -t nat -F
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 1111 -j DNAT --to
131.155.228.4
iptables -t nat -A POSTROUTING -p tcp --dport 1111 -j MASQUERADE
iptables -L
iptables -t nat -L

that's all i had to do on phex to get it working.
iptables -L, iptables -t nat -L and iptables -t mangle -L output exactly the same (phex & boron).

Now for the difference that i can spot which may have to do with this:
phex uses 2.4.20 whereas boron has 2.4.24. A subtle difference (at least that's what it
seems to me) is that phex preroutes things from ppp0 while boron should
do that from eth0, maybe that can be the problem? i don't see how, but
that doesn't surprise me anymore by now. I hope any of you can bravely
come up with some sort of answer that should push me into the right
direction of solving this .. well .. i don't know what it is. Aargh!

oh and happy newyear.

p.s. i'm not on this list, figured it's a little silly to subscribe for
one question, so please reply/cc/bcc to my address, which is
roderik@digicit.nl .. and many thanks in advance.

p.p.s. i noticed that
iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 1111 -j DNAT --to
:4444
does not do the same as
 iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 1111 -j DNAT --to
 127.0.0.1:4444
 when that box is directly addressed, which is another mystery for me..
 but that's probably how it should work.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: forwarding to an external ip
  2005-01-12 17:09 forwarding to an external ip Roderik van Heijst
@ 2005-01-13 16:21 ` Jason Opperisano
  2005-01-13 16:22 ` Samuel Jean
  1 sibling, 0 replies; 3+ messages in thread
From: Jason Opperisano @ 2005-01-13 16:21 UTC (permalink / raw)
  To: netfilter; +Cc: roderik

On Wed, Jan 12, 2005 at 06:09:26PM +0100, Roderik van Heijst wrote:
> hi there,
> 
> i spent the whole day (which sucks btw :( ) trying to figure out how to
> forward 62.131.95.133:4321 (phex) to 131.155.228.4:1111 (orion). Quickly said, after 6
> hours (which is too long IMHO) i got it to work. However, phex was just
> for testing and i want it to work on 80.69.73.147 (boron) so i figured - if i
> copied the complete setup of iptables at phex to boron, it should do the same. 
> 
> ... Nopez. Honestly, I can't understand what's making the difference .. must be due to
> different kernels, but this is user-space right .. should work the same?
> I'm sorry if i sound frustrated, but i am.
> 
> iptables -F
> iptables -t nat -F
> iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 1111 -j DNAT --to
> 131.155.228.4

shouldn't that be:

  iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 4321 \
    -j DNAT --to-destination 131.155.228.4:1111

> iptables -t nat -A POSTROUTING -p tcp --dport 1111 -j MASQUERADE
> iptables -L
> iptables -t nat -L

it would be nice to see the output of:

  iptables -t nat -vnxL && iptables -vnxL

> that's all i had to do on phex to get it working.
> iptables -L, iptables -t nat -L and iptables -t mangle -L output exactly the same (phex & boron).
> 
> Now for the difference that i can spot which may have to do with this:
> phex uses 2.4.20 whereas boron has 2.4.24. A subtle difference (at least that's what it
> seems to me) is that phex preroutes things from ppp0 while boron should
> do that from eth0, maybe that can be the problem? i don't see how, but

you need to specify the correct interface, yes.  if i put "-i bob" in my
rules--they won't ever match.  computers are funny that way.

> that doesn't surprise me anymore by now. I hope any of you can bravely
> come up with some sort of answer that should push me into the right
> direction of solving this .. well .. i don't know what it is. Aargh!

how about showing us what you have on the box that's not working (see
above for requested output).


> 
> oh and happy newyear.
> 
> p.s. i'm not on this list, figured it's a little silly to subscribe for
> one question, so please reply/cc/bcc to my address, which is
> roderik@digicit.nl .. and many thanks in advance.
> 
> p.p.s. i noticed that
> iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 1111 -j DNAT --to
> :4444
> does not do the same as
>  iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 1111 -j DNAT --to
>  127.0.0.1:4444
>  when that box is directly addressed, which is another mystery for me..
>  but that's probably how it should work.

if you were on this you would've seen this come up before, and been able
to read the explanation on why it works the way it does.  you can still
search the archives if it's keeping you up at night.

-j

--
"I have been shot eight times this year, and as a result, I almost
 missed work."
        --The Simpsons


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: forwarding to an external ip
  2005-01-12 17:09 forwarding to an external ip Roderik van Heijst
  2005-01-13 16:21 ` Jason Opperisano
@ 2005-01-13 16:22 ` Samuel Jean
  1 sibling, 0 replies; 3+ messages in thread
From: Samuel Jean @ 2005-01-13 16:22 UTC (permalink / raw)
  To: Roderik van Heijst; +Cc: netfilter

On Wed, January 12, 2005 12:09 pm, Roderik van Heijst said:
> hi there,

hi

> [...]
> ... Nopez. Honestly, I can't understand what's making the difference ..
> must be due to
> different kernels, but this is user-space right .. should work the same?

What do you mean by `but this is user-space' ?

> I'm sorry if i sound frustrated, but i am.

Against what ? 8)

>
> iptables -F
> iptables -t nat -F
> iptables -t nat -A PREROUTING -p tcp -i ppp0 --dport 1111 -j DNAT --to
> 131.155.228.4
> iptables -t nat -A POSTROUTING -p tcp --dport 1111 -j MASQUERADE
> iptables -L
> iptables -t nat -L

Quick comment : May I guess you have static external ip ?

If you do, use SNAT instead of MASQUERADE.

>
> Now for the difference that i can spot which may have to do with this:
> phex uses 2.4.20 whereas boron has 2.4.24.

Shouldn't matter.

> A subtle difference (at least that's what it seems to me) is that phex
> preroutes things from ppp0 while boron should
> do that from eth0, maybe that can be the problem? i don't see how, but
> that doesn't surprise me anymore by now.

That, obiviously, is a problem. The packet will never get DNAT'ed
(because it doesn't match your rule) if you specified it should
come from ppp0 where, in fact, it comes from eth0.

> I hope any of you can bravely
> come up with some sort of answer that should push me into the right
> direction of solving this .. well .. i don't know what it is. Aargh!

Maybe I missed something ?

>
> oh and happy newyear.

Thanks

HTH,

Samuel



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2005-01-13 16:22 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-01-12 17:09 forwarding to an external ip Roderik van Heijst
2005-01-13 16:21 ` Jason Opperisano
2005-01-13 16:22 ` Samuel Jean

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.