* DNAT problem
@ 2004-06-10 11:03 Paul M. Goorskis
0 siblings, 0 replies; 41+ messages in thread
From: Paul M. Goorskis @ 2004-06-10 11:03 UTC (permalink / raw)
To: netfilter
Hello list!
Problem: forward from branch office address 10.1.12.146 to 192.168.130.15 on internal network
I'm stuck
It's not DNAT'ing...
Main office using 192.168.0.0/16 for internal needs and 10.23.17.0/24 to communicate with branch office
Branch office using 10.0.0.0/8
versions:
iptables v1.2.7a
kernel 2.4.20
+-------------+ +-----------+
|BRANCH VPN +----------+10.1.12.146|
|10.23.254.249|eth1 +-----------+
+----+--------+
|eth0
+--------+ |
|Internet+-----+
+--------+
|
|eth0 (213.175.70.195)
+---------------+ eth2+------+ +------------------+
|192.168.130.15 +----------------------+ROUTER+------------+VPN 213.175.70.198|
+---------------+ +------+eth1 | 10.23.254.250 |
| 10.23.17.0/0 |
+------------------+
BRANCH VPN:
route add -net 10.23.17.0/24 gw 10.23.254.250 dev tunl1
VPN:
route add -net 10.23.17.0/24 gw ROUTER
route add -net 10.0.0.0/8 gw 10.23.254.249 dev tunl1
ROUTER:
route add -net 10.0.0.0/8 gw VPN
iptables -t nat -A PREROUTING -i eth1 -s 10.1.12.146 -d 10.23.17.99 -j DNAT --to-destination 192.168.130.15
iptables -A FORWARD -s 10.1.12.146 -d 192.168.130.15 -i eth1 -o eth2 -j ACCEPT
iptables -A FORWARD -d 10.1.12.146 -s 192.168.130.15 -o eth1 -i eth2 -j ACCEPT
Ok, here it goes:
packet started traveling from 10.1.12.146 with DST=10.23.17.99
packet arrived at BRANCH VPN with TTL=27
packet arrived at VPN with TTL=26
packet arrived at ROUTER with TTL=25
and here comes troubles... instead of DNAT'ing connection to 192.168.130.15 and routing
it via eth2 it routes it's not DNAT'ing but sending packet as if it final destination
is 10.23.17.99 via eth1 to VPN box. Not a big surprise that VPN box routes this packet
back to ROUTER. Finaly ping-pong ends at ROUTER with TTL=1 going nowhere. What i'm doing wrong?
I got bunch of similar rules working OK. Just stuck with this one.
Help! :)
Thank you!
^ permalink raw reply [flat|nested] 41+ messages in thread[parent not found: <45227670.8040702@mail.nankai.edu.cn>]
[parent not found: <4521C6A3.1040902@mail.nankai.edu.cn>]
* Re: DNAT problem
[not found] <4521C6A3.1040902@mail.nankai.edu.cn>
@ 2006-10-03 10:11 ` Marco Berizzi
0 siblings, 0 replies; 41+ messages in thread
From: Marco Berizzi @ 2006-10-03 10:11 UTC (permalink / raw)
To: struggle; +Cc: netfilter
Bo Yang wrote:
>How to do the balance using nth match , can you give an example ?
>For example , I have a gateway 111.111.111.111 which connected to my
>own LAN .
>And in LAN , I have four machines 10.0.0.1 - 10.0.0.4 to share the ssh
>connection .
>Could you tell me how to balance the ssh flow ?
I haven't exactly understood your question. However this is
an example:
$IPTABLES -t nat -A PREROUTING -d 111.111.111.111 --protocol tcp --dport 22
-m statistic --mode nth --every 4 -j DNAT --to 10.0.0.1
$IPTABLES -t nat -A PREROUTING -d 111.111.111.111 --protocol tcp --dport 22
-m statistic --mode nth --every 4 -j DNAT --to 10.0.0.2
$IPTABLES -t nat -A PREROUTING -d 111.111.111.111 --protocol tcp --dport 22
-m statistic --mode nth --every 4 -j DNAT --to 10.0.0.3
$IPTABLES -t nat -A PREROUTING -d 111.111.111.111 --protocol tcp --dport 22
-j DNAT --to 10.0.0.4
^ permalink raw reply [flat|nested] 41+ messages in thread
* DNAT problem
@ 2006-10-02 8:00 Stefan Friedel
2006-10-02 8:25 ` Marco Berizzi
0 siblings, 1 reply; 41+ messages in thread
From: Stefan Friedel @ 2006-10-02 8:00 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 1243 bytes --]
Good Morning,
I have a problem after switching from an old 2.4.x installation to 2.6.17.3 - scenario:
- computer pool with central server, central server visible in the internet
- several nodes, two of them access nodes, private network
- the two access nodes in the pool get all external ssh connections via a rule on the central server
iptables -t nat -A PREROUTING -p tcp -i eth3 -d <external IP> -j DNAT --dport 22 --to-destination <firstprivip>-<lastprivip>
This worked fine with 2.4.29 (server+nodes). But after switching to 2.6 round
robin is no longer working: only the node <lastprivip> is used. Changing the
rule and using the --to-destination <firstprivip> --to-destination <lastprivip>
does not work at all: iptables is complaining about invalid arguments.
iptables on the server is v1.2.11, Debian sarge, 2.6.17.3
Any hint? Did I miss some changes in the behavior of netfilter/iptables?
Thanks and Regards, Stefan Friedel
--
Zentrale Dienste - Interdisziplinäres Zentrum für Wissenschaftliches
Rechnen der Universität Heidelberg - IWR - INF 368, 69120 Heidelberg
stefan.friedel@iwr.uni-heidelberg.de Tel +49 6221 54-8240 Fax -5224
IWR: www.iwr.uni-heidelberg.de HELICS: www.helics.uni-hd.de
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 41+ messages in thread
* RE: DNAT problem
2006-10-02 8:00 Stefan Friedel
@ 2006-10-02 8:25 ` Marco Berizzi
2006-10-02 10:42 ` Pascal Hambourg
0 siblings, 1 reply; 41+ messages in thread
From: Marco Berizzi @ 2006-10-02 8:25 UTC (permalink / raw)
To: stefan.friedel; +Cc: netfilter
Stefan Friedel wrote:
>Good Morning,
>iptables on the server is v1.2.11, Debian sarge, 2.6.17.3
upgrade to iptables 1.3.6
>Any hint? Did I miss some changes in the behavior of netfilter/iptables?
Man page (from iptables 1.3.6) states:
In Kernels up to 2.6.10 you can add several --to-destination options.
For those kernels, if you specify more than one destination address,
either via an address range or multiple --to-destination options, a
simple round-robin (one after another in cycle) load balancing
takes place between these addresses. Later Kernels (>= 2.6.11-rc1)
don't have the ability to NAT to multiple ranges anymore.
Maybe the SAME target extension will help you.
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: DNAT problem
2006-10-02 8:25 ` Marco Berizzi
@ 2006-10-02 10:42 ` Pascal Hambourg
2006-10-02 12:01 ` Stefan Friedel
2006-10-02 12:48 ` Marco Berizzi
0 siblings, 2 replies; 41+ messages in thread
From: Pascal Hambourg @ 2006-10-02 10:42 UTC (permalink / raw)
To: netfilter
Hello,
Marco Berizzi a écrit :
>
> In Kernels up to 2.6.10 you can add several --to-destination options.
> For those kernels, if you specify more than one destination address,
> either via an address range or multiple --to-destination options, a
> simple round-robin (one after another in cycle) load balancing
> takes place between these addresses. Later Kernels (>= 2.6.11-rc1)
> don't have the ability to NAT to multiple ranges anymore.
OK, SNAT and DNAT do not support multiple --to any more in kernels above
2.6.10. But it is unclear to me whether they still support one IP
address *range* (with round robin) or only one single IP address.
> Maybe the SAME target extension will help you.
The SAME target won't do round robin for the same source address. It
will only do round robin for separate source addresses.
What about the BALANCE target ? It's in the man page, but I had never
heard of it.
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: DNAT problem
2006-10-02 10:42 ` Pascal Hambourg
@ 2006-10-02 12:01 ` Stefan Friedel
2006-10-02 12:51 ` Marco Berizzi
2006-10-02 13:14 ` Pascal Hambourg
2006-10-02 12:48 ` Marco Berizzi
1 sibling, 2 replies; 41+ messages in thread
From: Stefan Friedel @ 2006-10-02 12:01 UTC (permalink / raw)
To: Pascal Hambourg; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 1301 bytes --]
Hello,
>
> OK, SNAT and DNAT do not support multiple --to any more in kernels above
> 2.6.10. But it is unclear to me whether they still support one IP
> address *range* (with round robin) or only one single IP address.
The range is still accepted as option for iptables 1.3.6, but it has no effect
with 2.6.17.3 (so I assume that it is indeed the "NAT+round robin" capability
which has gone in Kernels > 2.6.10/11). It doesn't matter if I use the SAME or
the DNAT target in PREROUTING -
>
> The SAME target won't do round robin for the same source address. It
> will only do round robin for separate source addresses.
>
> What about the BALANCE target ? It's in the man page, but I had never
> heard of it.
In iptables 1.3.6 BALANCE is not available (nor is it available in the 2.6.17.3
source). Obsolete? And I fear that it would not help, because the problem is
the missing round robin/load balancing in the Kernel.
Maybe LVS is a solution -
Thanks and Best Regards, Stefan Friedel
--
Zentrale Dienste - Interdisziplinäres Zentrum für Wissenschaftliches
Rechnen der Universität Heidelberg - IWR - INF 368, 69120 Heidelberg
stefan.friedel@iwr.uni-heidelberg.de Tel +49 6221 54-8240 Fax -5224
IWR: www.iwr.uni-heidelberg.de HELICS: www.helics.uni-hd.de
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: DNAT problem
2006-10-02 12:01 ` Stefan Friedel
@ 2006-10-02 12:51 ` Marco Berizzi
2006-10-02 13:14 ` Pascal Hambourg
1 sibling, 0 replies; 41+ messages in thread
From: Marco Berizzi @ 2006-10-02 12:51 UTC (permalink / raw)
To: stefan.friedel; +Cc: netfilter
Stefan Friedel wrote:
>Maybe LVS is a solution -
you may also try the nth match (called statistic on linux >=2.6.18)
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: DNAT problem
2006-10-02 12:01 ` Stefan Friedel
2006-10-02 12:51 ` Marco Berizzi
@ 2006-10-02 13:14 ` Pascal Hambourg
2006-10-02 14:18 ` Stefan Friedel
1 sibling, 1 reply; 41+ messages in thread
From: Pascal Hambourg @ 2006-10-02 13:14 UTC (permalink / raw)
To: netfilter
Stefan Friedel a écrit :
>
>>OK, SNAT and DNAT do not support multiple --to any more in kernels above
>>2.6.10. But it is unclear to me whether they still support one IP
>>address *range* (with round robin) or only one single IP address.
>
> The range is still accepted as option for iptables 1.3.6, but it has no effect
> with 2.6.17.3 (so I assume that it is indeed the "NAT+round robin" capability
> which has gone in Kernels > 2.6.10/11). It doesn't matter if I use the SAME or
> the DNAT target in PREROUTING -
One question : did you test this from only one single source IP address
of from several source IP addresses ? SAME is designed to always give
the same mapping to a given source address, and it seems that DNAT/SNAT
do the same in kernels >= 2.6.11.
I remember reading something about this in kernel 2.6.11 changelog :
=======================================================================
[PATCH] Remove Randomness in Selecting NAT IP Address
We currently choose a "random" IP address to NAT to, where we have a
range. Martin Josefsson pointed out that he uses the SAME target in
iptables because changing IP addresses breaks Internet banking sites
(among others) which assume the customer will be coming from a
consistent IP address.
In fact, we spend a fair bit of effort trying to balance the number of
connections we NAT to each IP address. We can come pretty damn close
just hashing the source and destination IP addresses, and it has the
consistency property which is so desirable, as well as being faster.
========================================================================
I believe that with this patch the SNAT and DNAT targets behave in a way
like the SAME target and always use the same mapping in the --to range
for a given source IP address. However, when a range is specified,
different sources may use different mappings. But it won't be a dynamic
round robin, just a static hash. However I believe that when there are
many different source addresses it can achieve some kind of load balancing.
>>What about the BALANCE target ? It's in the man page, but I had never
>>heard of it.
>
> In iptables 1.3.6 BALANCE is not available (nor is it available in the 2.6.17.3
> source). Obsolete? And I fear that it would not help, because the problem is
> the missing round robin/load balancing in the Kernel.
I don't think so. Each target has its own code.
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: DNAT problem
2006-10-02 13:14 ` Pascal Hambourg
@ 2006-10-02 14:18 ` Stefan Friedel
0 siblings, 0 replies; 41+ messages in thread
From: Stefan Friedel @ 2006-10-02 14:18 UTC (permalink / raw)
To: Pascal Hambourg; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 983 bytes --]
Hello Pascal Hambourg,
>
> One question : did you test this from only one single source IP address
> of from several source IP addresses ? SAME is designed to always give
> the same mapping to a given source address, and it seems that DNAT/SNAT
> do the same in kernels >= 2.6.11.
ah, great. I just tested a few (3 different source ips, to be honest) accounts
before with SAME - after your last mail I asked some colleagues to test: it is
working indeed (obviously using some statistical method to choose the
destination ip. The destination ip did not change until we opened ~ 10
connections from different source ips...)
Thank you for your hint! and best regards, Stefan Friedel
--
Zentrale Dienste - Interdisziplinäres Zentrum für Wissenschaftliches
Rechnen der Universität Heidelberg - IWR - INF 368, 69120 Heidelberg
stefan.friedel@iwr.uni-heidelberg.de Tel +49 6221 54-8240 Fax -5224
IWR: www.iwr.uni-heidelberg.de HELICS: www.helics.uni-hd.de
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: DNAT problem
2006-10-02 10:42 ` Pascal Hambourg
2006-10-02 12:01 ` Stefan Friedel
@ 2006-10-02 12:48 ` Marco Berizzi
1 sibling, 0 replies; 41+ messages in thread
From: Marco Berizzi @ 2006-10-02 12:48 UTC (permalink / raw)
To: pascal.mail; +Cc: netfilter
Pascal Hambourg wrote:
>The SAME target won't do round robin for the same source address. It will
>only do round robin for separate source addresses.
You could try with the nth match (it is called statistic match
since 2.6.18, and you need iptables 1.3.6).
>What about the BALANCE target ? It's in the man page, but I had never heard
>of it.
This is from ipt_SAME.c:
copied ipt_BALANCE.c to ipt_SAME.c and changed a few things.
^ permalink raw reply [flat|nested] 41+ messages in thread
* DNAT problem
@ 2006-07-08 21:00 Antonio Di Bacco
0 siblings, 0 replies; 41+ messages in thread
From: Antonio Di Bacco @ 2006-07-08 21:00 UTC (permalink / raw)
To: netfilter
I receive on an interface (eth0, NOARP , ipaddr: 192.168.0.20 ) a tcp packet
in this way (I have dumped it with tcpdump):
SRC: 192.168.0.21:6000
DST: 192.168.0.21:80
I have an iptables rule:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT
--to-destination 192.168.0.20:80
Why my web server listening on eth0 doesn't receive it?
Thank you,
Antonio.
^ permalink raw reply [flat|nested] 41+ messages in thread
* dnat problem
@ 2005-01-22 15:59 Pablo Allietti
2005-01-22 19:45 ` Jason Opperisano
0 siblings, 1 reply; 41+ messages in thread
From: Pablo Allietti @ 2005-01-22 15:59 UTC (permalink / raw)
To: netfilter
hi all
i have a problem with dnat i have this struc.
|
|internet
|
Firewall 200.20.43.2
|
|
|
Server 192.168.1.143
and i have this rule in the firewall.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2244 -j DNAT
--to-destination 192.168.1.143:22
i supouse this rule make a dnat to server 192.... to ssh but nothing
happends
i do ssh -p2244 200.20.43.2 but nothing respond
what i miss ? :(
thnks all!!
--
Pablo Allietti
LACNIC
--------------
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: dnat problem
2005-01-22 15:59 dnat problem Pablo Allietti
@ 2005-01-22 19:45 ` Jason Opperisano
2005-01-23 0:26 ` Pablo Allietti
0 siblings, 1 reply; 41+ messages in thread
From: Jason Opperisano @ 2005-01-22 19:45 UTC (permalink / raw)
To: netfilter
On Sat, 2005-01-22 at 10:59, Pablo Allietti wrote:
> hi all
>
> i have a problem with dnat i have this struc.
>
>
> |
> |internet
> |
> Firewall 200.20.43.2
> |
> |
> |
> Server 192.168.1.143
>
>
> and i have this rule in the firewall.
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2244 -j DNAT
> --to-destination 192.168.1.143:22
>
> i supouse this rule make a dnat to server 192.... to ssh but nothing
> happends
>
> i do ssh -p2244 200.20.43.2 but nothing respond
>
> what i miss ? :(
and you have a FORWARD rule that looks like:
iptables -A FORWARD -i eth0 -p tcp -d 192.168.1.143 --dport 22 \
-j ACCEPT
yes?
-j
--
"Kids, you tried your best and you failed miserably. The lesson is,
never try."
--The Simpsons
^ permalink raw reply [flat|nested] 41+ messages in thread* Re: dnat problem
2005-01-22 19:45 ` Jason Opperisano
@ 2005-01-23 0:26 ` Pablo Allietti
[not found] ` <20050125150114.GA25839@omega.lacnic.net.uy>
0 siblings, 1 reply; 41+ messages in thread
From: Pablo Allietti @ 2005-01-23 0:26 UTC (permalink / raw)
To: Jason Opperisano; +Cc: netfilter
On Sat, Jan 22, 2005 at 02:45:37PM -0500, Jason Opperisano wrote:
> On Sat, 2005-01-22 at 10:59, Pablo Allietti wrote:
> > hi all
> >
> > i have a problem with dnat i have this struc.
> >
> >
> > |
> > |internet
> > |
> > Firewall 200.20.43.2
> > |
> > |
> > |
> > Server 192.168.1.143
> >
> >
> > and i have this rule in the firewall.
> >
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2244 -j DNAT
> > --to-destination 192.168.1.143:22
thanks that is the solution.! :) jaja nice signature.! Homer say
that.. i love homer
> >
> > i supouse this rule make a dnat to server 192.... to ssh but nothing
> > happends
> >
> > i do ssh -p2244 200.20.43.2 but nothing respond
> >
> > what i miss ? :(
>
> and you have a FORWARD rule that looks like:
>
> iptables -A FORWARD -i eth0 -p tcp -d 192.168.1.143 --dport 22 \
> -j ACCEPT
>
> yes?
>
> -j
>
> --
> "Kids, you tried your best and you failed miserably. The lesson is,
> never try."
> --The Simpsons
>
---end quoted text---
--
Pablo Allietti
LACNIC
--------------
^ permalink raw reply [flat|nested] 41+ messages in thread
* DNAT problem
@ 2004-05-29 15:25 Patrick Leslie Polzer
2004-05-29 15:36 ` Alexis
0 siblings, 1 reply; 41+ messages in thread
From: Patrick Leslie Polzer @ 2004-05-29 15:25 UTC (permalink / raw)
To: netfilter
Hello again,
a DNAT problem is coming up.
My firewall setup (simplified for testing) is currently as follows:
### <snip> ###
##### FILTER table #####
# policies
$ipt -P FORWARD ACCEPT
$ipt -P INPUT ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -F
$ipt -F FORWARD
$ipt -F INPUT
$ipt -F OUTPUT
##### NAT table #####
# flush chains
$ipt -t nat -F PREROUTING
$ipt -t nat -F POSTROUTING
$ipt -t nat -F OUTPUT
# masquerading on ppp0 and vortex
$ipt -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
$ipt -t nat -A POSTROUTING -o vortex -j MASQUERADE
# dnat
$ipt -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 192.168.35.191:80
### </snip> ###
The last line is working with
--dport 8080
but isn't with
--dport 80
What's going on there?
Kind regards,
Leslie
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: DNAT problem
2004-05-29 15:25 DNAT problem Patrick Leslie Polzer
@ 2004-05-29 15:36 ` Alexis
2004-05-29 16:03 ` Patrick Leslie Polzer
0 siblings, 1 reply; 41+ messages in thread
From: Alexis @ 2004-05-29 15:36 UTC (permalink / raw)
To: netfilter
i think it could be
- that the isp (if you're connecting to one isp trough ppp0) has a filter for
port 80 (it seems strange)
are you mangling some packets? what is the output for iptables -t mangle -L?
----- Original Message -----
From: "Patrick Leslie Polzer" <leslie.polzer@gmx.net>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, May 29, 2004 12:25 PM
Subject: DNAT problem
>
> Hello again,
>
> a DNAT problem is coming up.
> My firewall setup (simplified for testing) is currently as follows:
>
>
> ### <snip> ###
>
> ##### FILTER table #####
> # policies
> $ipt -P FORWARD ACCEPT
> $ipt -P INPUT ACCEPT
> $ipt -P OUTPUT ACCEPT
>
> $ipt -F
> $ipt -F FORWARD
> $ipt -F INPUT
> $ipt -F OUTPUT
>
>
> ##### NAT table #####
> # flush chains
> $ipt -t nat -F PREROUTING
> $ipt -t nat -F POSTROUTING
> $ipt -t nat -F OUTPUT
>
> # masquerading on ppp0 and vortex
> $ipt -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> $ipt -t nat -A POSTROUTING -o vortex -j MASQUERADE
>
> # dnat
> $ipt -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination
192.168.35.191:80
>
> ### </snip> ###
>
>
> The last line is working with
>
> --dport 8080
>
> but isn't with
>
> --dport 80
>
> What's going on there?
>
>
> Kind regards,
>
> Leslie
>
>
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: DNAT problem
2004-05-29 15:36 ` Alexis
@ 2004-05-29 16:03 ` Patrick Leslie Polzer
2004-05-30 1:00 ` Alexis
0 siblings, 1 reply; 41+ messages in thread
From: Patrick Leslie Polzer @ 2004-05-29 16:03 UTC (permalink / raw)
To: netfilter
On Sat, 29 May 2004 12:36:37 -0300
"Alexis" <alexis@tpys.com.ar> wrote:
> i think it could be
>
> - that the isp (if you're connecting to one isp trough ppp0) has a filter for
> port 80 (it seems strange)
Hm, possible. I just noticed 81 works, too! What crap is this?
> are you mangling some packets? what is the output for iptables -t mangle -L?
No rules at all, I generally try to stay away from mangling when testing:
### <snip> ###
stronghold:~# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
### </snip> ###
So I guess all facts are pointing at my crappy ISP...
Leslie
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: DNAT problem
2004-05-29 16:03 ` Patrick Leslie Polzer
@ 2004-05-30 1:00 ` Alexis
0 siblings, 0 replies; 41+ messages in thread
From: Alexis @ 2004-05-30 1:00 UTC (permalink / raw)
To: Patrick Leslie Polzer; +Cc: netfilter
to filter some ports is becoming a new "fashion" by the ISP.
The reason is "why he will serve a webserver if i can do this and charge some
fresh money for it"
just that
----- Original Message -----
From: "Patrick Leslie Polzer" <leslie.polzer@gmx.net>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, May 29, 2004 1:03 PM
Subject: Re: DNAT problem
> On Sat, 29 May 2004 12:36:37 -0300
> "Alexis" <alexis@tpys.com.ar> wrote:
>
> > i think it could be
> >
> > - that the isp (if you're connecting to one isp trough ppp0) has a filter
for
> > port 80 (it seems strange)
> Hm, possible. I just noticed 81 works, too! What crap is this?
>
> > are you mangling some packets? what is the output for iptables -t mangle -L?
> No rules at all, I generally try to stay away from mangling when testing:
>
>
> ### <snip> ###
>
> stronghold:~# iptables -t mangle -L
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
>
> ### </snip> ###
>
>
> So I guess all facts are pointing at my crappy ISP...
>
> Leslie
>
>
^ permalink raw reply [flat|nested] 41+ messages in thread
* [Fwd: Re: DNAT Problem]
@ 2004-04-27 5:57 test
2004-04-27 7:20 ` DNAT Problem Rob Sterenborg
0 siblings, 1 reply; 41+ messages in thread
From: test @ 2004-04-27 5:57 UTC (permalink / raw)
To: netfilter
Hi All
I am facing a problem with DNAT and the detail of my problem is as follows :
I have an email server running behind the firewall serving POP3 & SMTP.
Now all requests DNAT from the firewall are logged as if received from the
firewall itself and thus considered as trusted ip. I want all the DNAT
requests to be logged as received real source ip and not from firewall ip.
Please find attach a copy of my firewall script so that you all would be
able to suggest me the required changes. (optional : Any suggestion to
make it more secure)
++++++++++++++++++++++++++++++++++++
#!/bin/bash
# Flush All IPTABLE Rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -t nat -F OUTPUT
# Default Policy Rules
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# Allow only incoming connections that we establish first
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Rules for lo
iptables -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
# Rules for eth0 - LAN
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# Rules for eth1 - Internet
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -i eth1 -p icmp -j DROP
iptables -A INPUT -i eth1 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j
ACCEPT
# SSH
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
# Email Server Access From Outside
# SMTP
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to
192.168.0.6:25
# Web
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
192.168.0.190:80
# POP3
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 110 -j DNAT --to
192.168.0.6:110
# WebMail
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8000 -j DNAT --to
192.168.0.6:80
iptables -A INPUT -i eth1 -j DROP
++++++++++++++++++++++++++++++++++++
Regards
Joel
---------------------------- Original Message ----------------------------
Subject: Re: DNAT Problem
From: test@seaconindia.com
Date: Fri, April 23, 2004 5:52 pm
To: netfilter@lists.netfilter.org
--------------------------------------------------------------------------
Hi Antony
> On Thursday 22 April 2004 7:18 pm, test@seaconindia.com wrote:
>
>> > > iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT
--to 192.168.0.6:25
>> >
>> > I don't believe that can be your complete ruleset.
>> >
>> > I see nothing wrong with the above rule as it stands, however on its
>> own
>> > it's not much good - you need a FORWARD rule to allow packets through
>> to
>> > the mail server as well.
>>
>> Can you give me an example of the forward rule set.
>
> iptables -A FORWARD -d a.b.c.d -p tcp --dport 25 -j ACCEPT
>
> where a.b.c.d is the real (internal) IP address of your mail server.
>
I modified my script as suggested by you but no luck
>> > Anyway, I thought (I may be mistaken) that the problem was not with
>> the
>> > inbound DNAT, but with SNAT?
>
> I repeat the statement immediately above.
>
>> Or shall I attach my complete bash script ? (is it ok ?)
>
> Please do post the smallest ruleset which demonstrates the problem (ie
it allows access to your internal mailserver, but all accesses appear to
be from
> the firewall's IP address).
>
Please find below the SMTP log of my email server
++++++++++++++++++
@4000000040890aad255365a4 tcpserver: pid 30530 from 192.168.0.151
@4000000040890aad2a6f2e9c tcpserver: ok 30530
mail.localmail.com:192.168.0.6:25 :192.168.0.151::1592
++++++++++++++++++
Please note
Firewall IP = 192.168.0.151
Email Server IP = 192.168.0.6
Regards
Joel
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: DNAT Problem
2004-04-27 5:57 [Fwd: Re: DNAT Problem] test
@ 2004-04-27 7:20 ` Rob Sterenborg
[not found] ` <1081.80.0.0.23.1083127867.squirrel@80.0.0.175>
0 siblings, 1 reply; 41+ messages in thread
From: Rob Sterenborg @ 2004-04-27 7:20 UTC (permalink / raw)
To: netfilter
> I have an email server running behind the firewall serving POP3 &
SMTP.
> Now all requests DNAT from the firewall are logged as if received from
the
> firewall itself and thus considered as trusted ip. I want all the DNAT
> requests to be logged as received real source ip and not from firewall
ip.
...
> # Default Policy Rules
> iptables -P INPUT DROP
> iptables -P OUTPUT ACCEPT
> iptables -P FORWARD ACCEPT
Set this one to DROP and use an ACCEPT rule for what you want to accept
(see below).
That way you won't easily make a mistake when forwarding.
> iptables -t nat -P PREROUTING ACCEPT
> iptables -t nat -P POSTROUTING ACCEPT
> iptables -t nat -P OUTPUT ACCEPT
>
> # Allow only incoming connections that we establish first
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Rules for lo
> iptables -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
That should read :
iptables -A INPUT -i lo -s 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -i ! lo -s 127.0.0.0/255.0.0.0 -j DROP
You want to accept traffic from 127.0.0.0/8 on interface lo.
> # Rules for eth0 - LAN
> iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
>
> # Rules for eth1 - Internet
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
You say eth1 is internet. Why eth0 ?
Should this say :
iptables -t nat -A POSTROUTING -o eth1 -s <net_lan> -j SNAT \
--to-source <ip_inet>
> iptables -A INPUT -i eth1 -p icmp -j DROP
You already do this since you don't have a rule acceping it and policy
is DROP.
> iptables -A INPUT -i eth1 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK
SYN -j
> ACCEPT
Why are you accepting this ?
You have set policy to DROP for the INPUT chain. Nice. Everything will
be dropped that doesn't match a rule.
You accept RELATED and ESTABLISHED traffic. Good.
The nex rule you accept tcp packets, that has not SYN set out of the
SYN, RST and ACK flags. Could it be you're matching related/established
traffic ? You already do that.
> # SSH
> iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
>
If you have set policy DROP for the FORWARD chain, you now have to
ACCEPT (and LOG, because that is what you wanted after all) certain
traffic. Below I see you're forwarding to 2 different servers :
192.168.0.6 and 192.168.0.190.
So I think you want this :
iptables -A FORWARD -i eth1 -o eth0 -d 192.168.0.6 -p tcp --dport 25 \
-j LOG --log-prefix "ipt:SMTP "
iptables -A FORWARD -i eth1 -o eth0 -d 192.168.0.6 -p tcp --dport 25 \
-j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -d 192.168.0.6 -p tcp --dport 110 \
-j LOG --log-prefix "ipt:POP3 "
iptables -A FORWARD -i eth1 -o eth0 -d 192.168.0.6 -p tcp --dport 110 \
-j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -d 192.168.0.6 -p tcp --dport 8000 \
-j LOG --log-prefix "ipt:WEBMAIL "
iptables -A FORWARD -i eth1 -o eth0 -d 192.168.0.6 -p tcp --dport 8000 \
-j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -d 192.168.0.6 -p tcp --dport 80 \
-j LOG --log-prefix "ipt:WEB "
iptables -A FORWARD -i eth1 -o eth0 -d 192.168.0.6 -p tcp --dport 80 \
-j ACCEPT
> # Email Server Access From Outside
> # SMTP
> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to
> 192.168.0.6:25
> # Web
> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
> 192.168.0.190:80
>
> # POP3
> iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 110 -j DNAT --to
> 192.168.0.6:110
>
> # WebMail
> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8000 -j DNAT --to
> 192.168.0.6:80
> iptables -A INPUT -i eth1 -j DROP
You have set the INPUT policy to DROP so there is no reason to do this.
Gr,
Rob
^ permalink raw reply [flat|nested] 41+ messages in thread
* DNAT Problem
@ 2004-04-19 5:07 test
2004-04-19 13:43 ` Joel Newkirk
0 siblings, 1 reply; 41+ messages in thread
From: test @ 2004-04-19 5:07 UTC (permalink / raw)
To: netfilter
Hi All
I am new to Iptables & Firewall. I have 2 servers (web & email) running
behind firewall. I have DNAT rule on my firewall, so any request hitting
on port 25, 80, 110 are DNAT to internal servers. Inturn my internal
servers (web & email) feel these requests were received from firewall ie
internal ip and can be trusted.
I want these DNAT request to be forward with their original ip address and
not as coming from firewall ip.
Please advice my firewall rule is as follows :
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 25 -j DNAT --to
192.168.0.175:25
Regards
Joel
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: DNAT Problem
2004-04-19 5:07 test
@ 2004-04-19 13:43 ` Joel Newkirk
2004-04-20 4:31 ` test
0 siblings, 1 reply; 41+ messages in thread
From: Joel Newkirk @ 2004-04-19 13:43 UTC (permalink / raw)
To: test; +Cc: netfilter
test@seaconindia.com wrote:
>Hi All
>
>I am new to Iptables & Firewall. I have 2 servers (web & email) running
>behind firewall. I have DNAT rule on my firewall, so any request hitting
>on port 25, 80, 110 are DNAT to internal servers. Inturn my internal
>servers (web & email) feel these requests were received from firewall ie
>internal ip and can be trusted.
>
>I want these DNAT request to be forward with their original ip address and
>not as coming from firewall ip.
>
>Please advice my firewall rule is as follows :
>
>iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 25 -j DNAT --to
>192.168.0.175:25
>
>Regards
>
>Joel
>
The way DNAT works it changes ONLY the Destination IP, not the Source
IP, so the packets WILL still appear to be from the original source. If
you are NOT seeing them as such, then you have a SNAT rule affecting
them, perhaps something like:
iptables -t nat -A POSTROUTING -j MASQUERADE
or
iptables -t nat -A POSTROUTING -j SNAT --to 192.168.0.254
The solution, if this is the case, is to tie the MASQUERADE or SNAT rule
to a particular interface:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
And make sure that if for some reason you DO need to SNAT traffic from
the firewall inward (out the 'private' nic), you can restrict that
action to particular source IPs or networks (-s a.b.c.d) etc to ensure
that /only/ the traffic you need to have a different source IP will in
fact get one.
Note that this will prevent computers on the LAN from reaching these
servers at their public IPs. (client connects to public IP, which is
firewall, which DNATs traffic back to LAN IP of server, which tries to
reply directly to client awaiting reply from public IP) If you need to
connect to the local servers, you either need to use the local IPs, or
use a SNAT like:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to
192.168.0.254
This way, the ONLY traffic from the firewall to the LAN that is SNATted
is traffic that came from the LAN originally - in most cases, this is
the only SNAT that should be performed on the 'local' interface of the
firewall.
j
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: DNAT Problem
2004-04-19 13:43 ` Joel Newkirk
@ 2004-04-20 4:31 ` test
2004-04-22 10:40 ` test
0 siblings, 1 reply; 41+ messages in thread
From: test @ 2004-04-20 4:31 UTC (permalink / raw)
To: Joel Newkirk; +Cc: netfilter
Hi Joel
> test@seaconindia.com wrote:
>
>>Hi All
>>
>>I am new to Iptables & Firewall. I have 2 servers (web & email) running
>>behind firewall. I have DNAT rule on my firewall, so any request hitting
>>on port 25, 80, 110 are DNAT to internal servers. Inturn my internal
>>servers (web & email) feel these requests were received from firewall ie
>>internal ip and can be trusted.
>>
>>I want these DNAT request to be forward with their original ip address
>> and
>>not as coming from firewall ip.
>>
>>Please advice my firewall rule is as follows :
>>
>>iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 25 -j DNAT --to
>>192.168.0.175:25
>>
>>Regards
>>
>>Joel
>>
> The way DNAT works it changes ONLY the Destination IP, not the Source
> IP, so the packets WILL still appear to be from the original source. If
> you are NOT seeing them as such, then you have a SNAT rule affecting
> them, perhaps something like:
>
> iptables -t nat -A POSTROUTING -j MASQUERADE
> or
> iptables -t nat -A POSTROUTING -j SNAT --to 192.168.0.254
>
Yes I do have "iptables -t nat -A POSTROUTING -j MASQUERADE"
> The solution, if this is the case, is to tie the MASQUERADE or SNAT rule
> to a particular interface:
>
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>
> And make sure that if for some reason you DO need to SNAT traffic from
> the firewall inward (out the 'private' nic), you can restrict that
> action to particular source IPs or networks (-s a.b.c.d) etc to ensure
> that /only/ the traffic you need to have a different source IP will in
> fact get one.
>
> Note that this will prevent computers on the LAN from reaching these
> servers at their public IPs. (client connects to public IP, which is
> firewall, which DNATs traffic back to LAN IP of server, which tries to
> reply directly to client awaiting reply from public IP) If you need to
> connect to the local servers, you either need to use the local IPs, or
> use a SNAT like:
>
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j SNAT --to
> 192.168.0.254
>
> This way, the ONLY traffic from the firewall to the LAN that is SNATted
> is traffic that came from the LAN originally - in most cases, this is
> the only SNAT that should be performed on the 'local' interface of the
> firewall.
>
> j
>
But Joel can you please advice me what rule set should I use on my
firewall. I want users from outside to come in for POP & SMTP. But I want
their request to be forwarded with their real ips and not firewall ip.
Thanks for your help
Regards
Joel
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: DNAT Problem
2004-04-20 4:31 ` test
@ 2004-04-22 10:40 ` test
2004-04-22 11:07 ` Antony Stone
0 siblings, 1 reply; 41+ messages in thread
From: test @ 2004-04-22 10:40 UTC (permalink / raw)
To: Joel Newkirk; +Cc: netfilter
Hi Joel
>
>> test@seaconindia.com wrote:
>>
>>>Hi All
>>>
>>>I am new to Iptables & Firewall. I have 2 servers (web & email) running
>>>behind firewall. I have DNAT rule on my firewall, so any request hitting
>>>on port 25, 80, 110 are DNAT to internal servers. Inturn my internal
>>>servers (web & email) feel these requests were received from firewall ie
>>>internal ip and can be trusted.
>>>
>>>I want these DNAT request to be forward with their original ip address
>>> and
>>>not as coming from firewall ip.
>>>
>>>Please advice my firewall rule is as follows :
>>>
>>>iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 25 -j DNAT --to
>>>192.168.0.175:25
>>>
>>>Regards
>>>
>>>Joel
>>>
>> The way DNAT works it changes ONLY the Destination IP, not the Source
>> IP, so the packets WILL still appear to be from the original source. If
>> you are NOT seeing them as such, then you have a SNAT rule affecting
>> them, perhaps something like:
>>
>> iptables -t nat -A POSTROUTING -j MASQUERADE
>> or
>> iptables -t nat -A POSTROUTING -j SNAT --to 192.168.0.254
>>
Yes I do have "iptables -t nat -A POSTROUTING -j MASQUERADE"
And as suggested by you I have modified the above rule with
respective nic. But no luck.
Joel can you please advice me on what rule set to use on my firewall. I
want users from outside to come in for POP & SMTP. But I want
their request to be forwarded with their real ips and not firewall ip.
Thanks for your help
Regards
Joel
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: DNAT Problem
2004-04-22 10:40 ` test
@ 2004-04-22 11:07 ` Antony Stone
[not found] ` <1589.80.0.0.23.1082637754.squirrel@80.0.0.175>
0 siblings, 1 reply; 41+ messages in thread
From: Antony Stone @ 2004-04-22 11:07 UTC (permalink / raw)
To: netfilter
On Thursday 22 April 2004 11:40 am, test@seaconindia.com wrote:
> >> iptables -t nat -A POSTROUTING -j MASQUERADE
> >> or
> >> iptables -t nat -A POSTROUTING -j SNAT --to 192.168.0.254
>
> Yes I do have "iptables -t nat -A POSTROUTING -j MASQUERADE"
> And as suggested by you I have modified the above rule with
> respective nic. But no luck.
>
> Can you please advice me on what rule set to use on my firewall. I
> want users from outside to come in for POP & SMTP. But I want
> their request to be forwarded with their real ips and not firewall ip.
I think you need to change your generic MASQUERADE or SNAT rule so that it
specifies only packets leaving the external interface - not the internal
interface.
For example:
iptables -A POSTROUTING -t nat -o $extIF -j SNAT --to a.b.c.d
Where a.b.c.d is the external IP of $extIF
Regards,
Antony.
--
What makes you think I know what I'm talking about?
I just have more O'Reilly books than most people.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 41+ messages in thread
* DNAT problem
@ 2003-03-30 14:58 Alexandru Coseru
2003-03-30 15:41 ` Joel Newkirk
0 siblings, 1 reply; 41+ messages in thread
From: Alexandru Coseru @ 2003-03-30 14:58 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 771 bytes --]
hello.. I have the folowing problem... I have a linux gateway with the external IP x.x.x.x and internal Ip 192.168.0.1. I want to make a DNAT and mask a conection from the external IP , forwarded to one of my lan's computer , and the lan computer to see it as 192.168.0.1 , not x.x.x.x
Example: If a packet comes from linux.org to a specific port (let's say 1345) , i want to forward it to a lan computer ( 192.168.0.5) , and mask that connection in a way that 192.168.0.5 sees the packet comes from 192.168.0.1 , and not from linux.org (it's exactly as masquarading , but in reverse way...)
Alex
[-- Attachment #2: Type: text/html, Size: 2131 bytes --]
^ permalink raw reply [flat|nested] 41+ messages in thread* Re: DNAT problem
2003-03-30 14:58 DNAT problem Alexandru Coseru
@ 2003-03-30 15:41 ` Joel Newkirk
0 siblings, 0 replies; 41+ messages in thread
From: Joel Newkirk @ 2003-03-30 15:41 UTC (permalink / raw)
To: Alexandru Coseru, netfilter
On Sunday 30 March 2003 09:58 am, Alexandru Coseru wrote:
> hello.. I have the folowing problem... I have a linux gateway with
> the external IP x.x.x.x and internal Ip 192.168.0.1. I want to
> make a DNAT and mask a conection from the external IP , forwarded to
> one of my lan's computer , and the lan computer to see it as
> 192.168.0.1 , not x.x.x.x
>
> Example: If a packet comes from linux.org to a specific port (let's
> say 1345) , i want to forward it to a lan computer ( 192.168.0.5) ,
> and mask that connection in a way that 192.168.0.5 sees the packet
> comes from 192.168.0.1 , and not from linux.org (it's exactly as
> masquarading , but in reverse way...)
Not really "in reverse way" just on a different interface.
> Alex
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 192.168.0.5
iptables -t nat -A POSTROUTING -o eth1 -d 192.168.0.5 -j SNAT --to
182.168.0.1
This assumes that eth0 is the external interface (with IP x.x.x.x) and
eth1 is the internal with IP 192.168.0.1. You will usually need to
match the traffic type as well, IE if you're DNATting http requests you
should add "-p tcp --dport 80" to BOTH rules.
j
^ permalink raw reply [flat|nested] 41+ messages in thread
* DNAT problem
@ 2002-11-27 19:28 Geoff Silver
0 siblings, 0 replies; 41+ messages in thread
From: Geoff Silver @ 2002-11-27 19:28 UTC (permalink / raw)
To: netfilter
I'll preface this by saying I'm not subscribed to the list, so if anyone
who can help would CC me, that would be appreciated. Thanks!
I have a 3-way firewall doing DNAT from a public address space (66.243
net) to a private address space (10.102 net). Everything works, except
when I'm on the DMZ and try to reach another DMZ machine through it's
public IP. The requests traverse the DNAT rule which *should* translate
them to their 10.102 destination address (and it works from my LAN or from
the internet), but instead the address isn't rewritten.
Example: public IP is 66.243.73.184 which is NAT'd to 10.102.1.2. If I
tcpdump on 10.102.1.2 and use a web browser from an internet host
(somewhere else in the world), I see something like:
14:25:00.353543 152.163.190.1.38300 > 10.102.1.2.80: S
3550573715:3550573715(0) win 24820 <nop,nop,sackOK,mss 1412> (DF) [tos
0x10]
14:25:00.353578 10.102.1.2.80 > 152.163.190.1.38300: S
1480002886:1480002886(0) ack 3550573716 win 15532 <mss
1412,nop,nop,sackOK> (DF)
14:25:00.423200 152.163.190.1.38300 > 10.102.1.2.80: . ack 1 win 25416
(DF) [tos 0x10]
14:25:01.333833 152.163.190.1.38300 > 10.102.1.2.80: P 1:6(5) ack 1 win
25416 (DF) [tos 0x10]
However, if I tcpdump and try the same thing from the host itself, I see:
13:59:42.698619 10.102.1.2.3024 > 66.243.73.184.80: S
4167737472:4167737472(0) win 16060 <mss 1460,sackOK,timestamp 25440395
0,nop,wscale 0> (DF) [tos 0x10]
Since I can look at the number of packets sent over the DNAT rule via
'iptables -t nat -v -L' and *see* the number of packets changing
corresponding to the number sent (and the intervals sent), I'm *sure* the
packets are traversing that rule, but not getting NAT'ed. Does anyone
have any ideas *why* this might be happening? Is this a bug? Does anyone
perhaps have a workaround for it? I could run split-DNS (DNS-views) or IP
alias the server, but it's a kludge, and I really *want* my firewall to do
the translation right.
Thanks!
^ permalink raw reply [flat|nested] 41+ messages in thread
* DNAT problem
@ 2002-11-19 8:07 HCLFM
2002-11-21 21:53 ` Rahul Jadhav
0 siblings, 1 reply; 41+ messages in thread
From: HCLFM @ 2002-11-19 8:07 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 720 bytes --]
Hi,
I have Redhat Linux 7.1 Kernel version 2.4.2-2.
with iptables v1.2.7 .
This nat module is loaded with ip_tables module
iptable_nat 16160 0 (autoclean) [ipt_MASQUERADE]
I'm trying to setup DNAT for port forwarding as per iptables documents . I have ip forwarding enabled. I want port forward from external interface to a internal server .
But the setup is not working , I have tried with all possible styles of PREROUTING chain.
When I connect to external IP address with the particular port , I get a "connection refused" error. But the software port forwarders work perfectly. I feel that the problem lies in proxy ARP support of the kernel.
Any suggestions ?
regards,
U.SivaKumar
[-- Attachment #2: Type: text/html, Size: 1058 bytes --]
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: DNAT problem
2002-11-19 8:07 HCLFM
@ 2002-11-21 21:53 ` Rahul Jadhav
0 siblings, 0 replies; 41+ messages in thread
From: Rahul Jadhav @ 2002-11-21 21:53 UTC (permalink / raw)
To: HCLFM; +Cc: netfilter
HCLFM wrote:
> Hi,
>
> I have Redhat Linux 7.1 Kernel version 2.4.2-2.
> with iptables v1.2.7 .
>
> This nat module is loaded with ip_tables module
> iptable_nat 16160 0 (autoclean) [ipt_MASQUERADE]
>
> I'm trying to setup DNAT for port forwarding as per iptables documents
> . I have ip forwarding enabled. I want port forward from external
> interface to a internal server .
>
> But the setup is not working , I have tried with all possible styles
> of PREROUTING chain.
> When I connect to external IP address with the particular port , I get
> a "connection refused" error. But the software port forwarders work
> perfectly. I feel that the problem lies in proxy ARP support of the
> kernel.
>
> Any suggestions ?
>
> regards,
> U.SivaKumar
This may not exactly be your problem...
I had a similar problem and I found that the router wasn't forwarding
traffic to the firewall machine. Check your router config to see if the
traffic is getting thru to it.
goodluck!
Rahul
--
__ __ __ __
/_/ /_ \ _/ / / \ Institute for Agriculture
__ __/ / \ _/ / / / and Trade Policy
/ / / / / / / __/ 2105 First Ave S
/ / / / / / /_ / / Minneapolis MN 55404
\/ \__/ \__/ \/ http://www.iatp.org
I N F O R M A T I O N T E C H N O L O G Y
The best things in life are done by people with nowhere to turn.
-The Blind Assassin (Margaret Atwood)
^ permalink raw reply [flat|nested] 41+ messages in thread
* dnat problem
@ 2002-05-21 20:53 support
2002-06-13 17:28 ` Antony Stone
0 siblings, 1 reply; 41+ messages in thread
From: support @ 2002-05-21 20:53 UTC (permalink / raw)
To: netfilter
hello all,
this is my first time posting to this board. i am having trouble
with my iptables rules. my configuration consists of a linux
router as the main network gateway and firewall providing NAT and
ipsec. i have compiled kernel 2.4.17 with freeS/WAN version
1.91. i have a source nat rule set up so my non-routable
addresses can use the gateway to reach the internet. i did not use
the MASQUERADE target.
here is my Source nat rule
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j SNAT --to
w.x.y.z
I also have some destination nat rules set up.
iptables -t nat -A PREROUTING -d w.x.y.a -p tcp -m tcp --dport 80 -j
DNAT --to-destination 192.168.1.48
There are about 5 additional dnat rules that are basically the same
so I won't list them.
the problem i am having is that the internal private subnet
(192.168.1.0/24) on my network is unable to bring up sites that
have been setup using dnat rules. external users have no problem
viewing the sites i have set up dnat rules for.
any help would be greatly appreciated.
thanks
---
Ollie Gallardo
^ permalink raw reply [flat|nested] 41+ messages in thread
end of thread, other threads:[~2006-10-03 14:48 UTC | newest]
Thread overview: 41+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-06-10 11:03 DNAT problem Paul M. Goorskis
[not found] <45227670.8040702@mail.nankai.edu.cn>
2006-10-03 14:48 ` Marco Berizzi
[not found] <4521C6A3.1040902@mail.nankai.edu.cn>
2006-10-03 10:11 ` Marco Berizzi
-- strict thread matches above, loose matches on Subject: below --
2006-10-02 8:00 Stefan Friedel
2006-10-02 8:25 ` Marco Berizzi
2006-10-02 10:42 ` Pascal Hambourg
2006-10-02 12:01 ` Stefan Friedel
2006-10-02 12:51 ` Marco Berizzi
2006-10-02 13:14 ` Pascal Hambourg
2006-10-02 14:18 ` Stefan Friedel
2006-10-02 12:48 ` Marco Berizzi
2006-07-08 21:00 Antonio Di Bacco
2005-01-22 15:59 dnat problem Pablo Allietti
2005-01-22 19:45 ` Jason Opperisano
2005-01-23 0:26 ` Pablo Allietti
[not found] ` <20050125150114.GA25839@omega.lacnic.net.uy>
2005-01-25 15:24 ` Pablo Allietti
2005-01-25 15:25 ` Pablo Allietti
2004-05-29 15:25 DNAT problem Patrick Leslie Polzer
2004-05-29 15:36 ` Alexis
2004-05-29 16:03 ` Patrick Leslie Polzer
2004-05-30 1:00 ` Alexis
2004-04-27 5:57 [Fwd: Re: DNAT Problem] test
2004-04-27 7:20 ` DNAT Problem Rob Sterenborg
[not found] ` <1081.80.0.0.23.1083127867.squirrel@80.0.0.175>
[not found] ` <000901c42cef$68603d40$1202a8c0@admin>
2004-05-04 5:32 ` test
2004-04-19 5:07 test
2004-04-19 13:43 ` Joel Newkirk
2004-04-20 4:31 ` test
2004-04-22 10:40 ` test
2004-04-22 11:07 ` Antony Stone
[not found] ` <1589.80.0.0.23.1082637754.squirrel@80.0.0.175>
2004-04-22 12:47 ` Antony Stone
2004-04-22 13:06 ` test
2004-04-22 13:21 ` Antony Stone
2004-04-22 18:18 ` test
2004-04-22 19:13 ` Antony Stone
2004-04-23 12:22 ` test
2003-03-30 14:58 DNAT problem Alexandru Coseru
2003-03-30 15:41 ` Joel Newkirk
2002-11-27 19:28 Geoff Silver
2002-11-19 8:07 HCLFM
2002-11-21 21:53 ` Rahul Jadhav
2002-05-21 20:53 dnat problem support
2002-06-13 17:28 ` Antony Stone
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.