DNAT confusion

DNAT confusion

[cc]

[-- Attachment #1: Type: text/plain, Size: 1825 bytes --]

Hi,

I should've asked this question in my previous post.  I'm using
Linux 2.4.20  (should be patching it to 21 soon).

Right now, I have :

$IPTABLES -t nat -A PREROUTING -p tcp -d $EXT_IP \
          --dport 80 -j DNAT --to $HTTP_IP

$IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -p tcp -d $HTTP_IP --dport 80 \
           -j SNAT --to-source $FIREWAL_INT_IP

Right now, I can access the Internet from within the LAN.
The problem is when I try to use the FQDN (www.mydomain.net)
to access my webserver.  I know that I've hit the exact
hurdle as mentioned within the iptables tutorial.  But
the problem is, I have included the tutorial's suggestion of
adding that POSTROUTING rule in.

I had it working before, but the problem i had with
it working (*grin*) was that the web server wasn't logging
the EXT_IP's IP, but rather my firewall's internal IP.

I don't remember how I got it working before, so I'm
stuck with a dilemna.  Should I allow FQDN references
for local users (and having the web server log packets
originating from the firewall) or should I disallow FQDN
(and having the webserver log the actual IPs).

Is there a way for me to have the best of both worlds?

Now I'm not sure if the last remaining 'rule' given in
the DNAT section is the clincher, but since I'm getting
an invalid argument (and still am searching for the
pom patch for it), I'm not able to use that third rule.

Any help appreciated

Edmund

-- 
email: cc@belfordhk.com  | "A man who knows not where he goes,
                         |  knows not when he arrives."
                         |                - Anon



** All information contained in this email is strictly     **
** confidential and may be used by the intended receipient **
** only.                                                   **

RE: DNAT confusion

[George Vieira]

$IPTABLES -t nat -A POSTROUTING -p tcp -d $HTTP_IP --dport 80 \
           -j SNAT --to-source $FIREWAL_INT_IP

You should specify -s $INTLANSUBNET/24 on this line to prevent it activating
for external visitors..

also, use -i -o where possible as it'll catch the correct packets going to
the right place..

RESULT:

# for external visitor DNATing.
$IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp -d $EXT_IP \
          --dport 80 -j DNAT --to $HTTP_IP

# Bucket passing
$IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -m state --state ESTABLISHED -j
ACCEPT # think this is needed.

# for internal visitor SNATing.
$IPTABLES -t nat -A POSTROUTING -s $INTSUBNET -p tcp -o $INTDEV -d
$HTTP_IP --dport 80 \
           -j SNAT --to-source $FIREWAL_INT_IP

I think that's about it.. ;)


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of cc
Sent: Thursday, July 31, 2003 8:32 PM
To: Netfilter Group
Subject: DNAT confusion


Hi,

I should've asked this question in my previous post.  I'm using
Linux 2.4.20  (should be patching it to 21 soon).

Right now, I have :

$IPTABLES -t nat -A PREROUTING -p tcp -d $EXT_IP \
          --dport 80 -j DNAT --to $HTTP_IP

$IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -p tcp -d $HTTP_IP --dport 80 \
           -j SNAT --to-source $FIREWAL_INT_IP

Right now, I can access the Internet from within the LAN.
The problem is when I try to use the FQDN (www.mydomain.net)
to access my webserver.  I know that I've hit the exact
hurdle as mentioned within the iptables tutorial.  But
the problem is, I have included the tutorial's suggestion of
adding that POSTROUTING rule in.

I had it working before, but the problem i had with
it working (*grin*) was that the web server wasn't logging
the EXT_IP's IP, but rather my firewall's internal IP.

I don't remember how I got it working before, so I'm
stuck with a dilemna.  Should I allow FQDN references
for local users (and having the web server log packets
originating from the firewall) or should I disallow FQDN
(and having the webserver log the actual IPs).

Is there a way for me to have the best of both worlds?

Now I'm not sure if the last remaining 'rule' given in
the DNAT section is the clincher, but since I'm getting
an invalid argument (and still am searching for the
pom patch for it), I'm not able to use that third rule.

Any help appreciated

Edmund

--
email: cc@belfordhk.com  | "A man who knows not where he goes,
                         |  knows not when he arrives."
                         |                - Anon



** All information contained in this email is strictly     **
** confidential and may be used by the intended receipient **
** only.                                                   **

Re: DNAT confusion

[Oskar Andreasson]

Hi all,

Just thought I'd let people know that I am aware of this fault in the
tutorial, and it has been fixed. Unfortunately, I won't be releasing
it (together with a few other things) for quite some time yet.

I am working on 4-5 (possibly 6) new chapters, and want to finish them all
up before I release the next version of the tutorial.

After that, I am considering to updating the whole thing to 2.6 standards,
but I'll save that for then. I may possibly fork the document into two
separate entities, one for 2.4 kernels and one for 2.6 kernels.

Have a nice week (or month, depending on when you will see me next). I
will be leaving for CERTconf this sunday, and I will be attending the
netfilter workshop in budapest as well.

Anyways... see you all around :)

On Thu, 31 Jul 2003, cc wrote:

> Hi,
>
> I should've asked this question in my previous post.  I'm using
> Linux 2.4.20  (should be patching it to 21 soon).
>
> Right now, I have :
>
> $IPTABLES -t nat -A PREROUTING -p tcp -d $EXT_IP \
>           --dport 80 -j DNAT --to $HTTP_IP
>
> $IPTABLES -A FORWARD -p tcp --dport 80 -j ACCEPT
>
> $IPTABLES -t nat -A POSTROUTING -p tcp -d $HTTP_IP --dport 80 \
>            -j SNAT --to-source $FIREWAL_INT_IP
>
> Right now, I can access the Internet from within the LAN.
> The problem is when I try to use the FQDN (www.mydomain.net)
> to access my webserver.  I know that I've hit the exact
> hurdle as mentioned within the iptables tutorial.  But
> the problem is, I have included the tutorial's suggestion of
> adding that POSTROUTING rule in.
>
> I had it working before, but the problem i had with
> it working (*grin*) was that the web server wasn't logging
> the EXT_IP's IP, but rather my firewall's internal IP.
>
> I don't remember how I got it working before, so I'm
> stuck with a dilemna.  Should I allow FQDN references
> for local users (and having the web server log packets
> originating from the firewall) or should I disallow FQDN
> (and having the webserver log the actual IPs).
>
> Is there a way for me to have the best of both worlds?
>
> Now I'm not sure if the last remaining 'rule' given in
> the DNAT section is the clincher, but since I'm getting
> an invalid argument (and still am searching for the
> pom patch for it), I'm not able to use that third rule.
>
> Any help appreciated
>
> Edmund
>
> --
> email: cc@belfordhk.com  | "A man who knows not where he goes,
>                          |  knows not when he arrives."
>                          |                - Anon
>
>
>
> ** All information contained in this email is strictly     **
> ** confidential and may be used by the intended receipient **
> ** only.                                                   **
>
>

----
Oskar Andreasson
http://www.frozentux.net
http://iptables-tutorial.frozentux.net
http://ipsysctl-tutorial.frozentux.net
mailto:blueflux@koffein.net