DNAT

DNAT

[Payal Rathod]

Hi,
I want to access my internal machine from outside. But I am unable to do 
so. I tried,
# iptables -t nat -I PREROUTING -d <my_ext_ip> -p tcp --dport
8081 -j DNAT --to-destination 192.168.0.16:80
# iptables -I INPUT -p tcp --dport 8081 -j ACCEPT
# iptables -I FORWARD -s 192.168.0.16 -j ACCEPT

I know these are very crude but they are simple to start with. Also,
once I get one more public IP from my ISP, I will NAT it to the
internal machine.
Can anyone give pointers on this and above to why it is not working?
If this is right, is it possible that my ISP might be blocking 
traffic from outside to ports other than the few.

With warm regards,
-Payal

Re: DNAT

[Primero]

[-- Attachment #1: Type: text/plain, Size: 850 bytes --]

Payal Rathod wrote:

>Hi,
>I want to access my internal machine from outside. But I am unable to do 
>so. I tried,
># iptables -t nat -I PREROUTING -d <my_ext_ip> -p tcp --dport
>8081 -j DNAT --to-destination 192.168.0.16:80
># iptables -I INPUT -p tcp --dport 8081 -j ACCEPT
>  
>
the one above is useless because the INPUT chain in this case is not 
traversed.

># iptables -I FORWARD -s 192.168.0.16 -j ACCEPT
>  
>
This one is the one u need ... but u have to make the check on 
destination and not on source so
#iptables -I FORWARD -d 192.168.0.16 -j ACCEPT

>With warm regards,
>-Payal
>
>  
>
bye :)


-- 
---------------------------------------
#######################################

"Linux, the choice of a GNU generation"
     ==Micro$oft - just say NO== 

#######################################
---------------------------------------


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]

Re: DNAT

[Jason Opperisano]

On Tue, 2004-10-26 at 06:20, Payal Rathod wrote:
> Hi,
> I want to access my internal machine from outside. But I am unable to do 
> so. I tried,
> # iptables -t nat -I PREROUTING -d <my_ext_ip> -p tcp --dport
> 8081 -j DNAT --to-destination 192.168.0.16:80

that looks ok...keep in mind you'll need to go to: 
http://<my_ext_ip>:8081 to hit the server from the outside

> # iptables -I INPUT -p tcp --dport 8081 -j ACCEPT

nope--try:

  iptables -A FORWARD -p tcp -d 192.168.0.16 --dport 80 -j ACCEPT

once PREROUTING is traversed--the packet is forever changed from the
perspective of all remaining chains.

> # iptables -I FORWARD -s 192.168.0.16 -j ACCEPT

i guess the point of that is to allow the replies back?  ok, i guess...

-j

-- 
Jason Opperisano <opie@817west.com>

DNAT

[Kai Hendry]

I have three machines:
192.168.0.1
192.168.0.3
192.168.0.9

On 9 there is service running on port 1199 that I want clients (at 3) to 
use from 1.

With SSH I can get this working from 1 with clients at 1 with:
ssh -L 1199:localhost:1199 192.168.0.9
Thought telnet localhost 1199 only works, not telnet 192.168.0.1 1199
Anyway, I don't need encryption.

DNAT is what I've been told I need so:
http://netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html

$ cat i.sh
sudo /sbin/iptables -t nat -F
# This alone doesn't work
sudo /sbin/iptables -t nat -A PREROUTING -p tcp --dport 1199 -i eth0 -j 
DNAT --to 192.168.0.9:1199
# I suspect something is wrong here:
sudo /sbin/iptables -t nat -A POSTROUTING -p tcp --dport 1199 -j SNAT 
--to 192.168.0.1:1199
sudo /sbin/iptables -t nat -vnxL --line-numbers

It just does not work when from 3:
$ telnet 192.168.0.1 1199
Trying 192.168.0.1...

Packets do show up:
SOLTEC-HDSVR$ sudo /sbin/iptables -t nat -vnxL --line-numbers
Chain PREROUTING (policy ACCEPT 6494 packets, 466878 bytes)
num      pkts      bytes target     prot opt in     out     
source               destination
1           4      240 DNAT       tcp  --  eth0   *       
0.0.0.0/0            0.0.0.0/0          tcp dpt:1199 to:192.168.0.9:1199

Chain POSTROUTING (policy ACCEPT 2102 packets, 388967 bytes)
num      pkts      bytes target     prot opt in     out     
source               destination

Chain OUTPUT (policy ACCEPT 2102 packets, 388967 bytes)
num      pkts      bytes target     prot opt in     out     
source               destination

Though from 1 not at all:
$ telnet 192.168.0.1 1199
Trying 192.168.0.1...
telnet: Unable to connect to remote host: Connection refused

What am I doing wrong?

DNAT

[Payal Rathod]

Hi,
I want to access my internal machine from outside. But I am unable to do 
so. I tried,
# iptables -t nat -I PREROUTING -d <my_ext_ip> -p tcp --dport
8081 -j DNAT --to-destination 192.168.0.16:80
# iptables -I INPUT -p tcp --dport 8081 -j ACCEPT
# iptables -I FORWARD -s 192.168.0.16 -j ACCEPT

I know these are very crude but they are simple to start with. Also,
once I get one more public IP from my ISP, I will NAT it to the
internal machine.
Can anyone give pointers on this and above to why it is not working?
If this is right, is it possible that my ISP might be blocking 
traffic from outside to ports other than the few.

With warm regards,
-Payal

RE: DNAT

[George Vieira]

This is a typical problem which gets asked over and over again. If you think about it carefully, you'll understand why this doesn't work.

Explained:

1. Your internal tries to access the server on it's external address.
2. The firewall DNATs it changing it's external address to the internal server address.
3. The packet arrives at the destination of 192.168.1.1
4. The Server responses to the SYN and "sends it back to 192.168.1.X DIRECTLY"
5. The client machine receives a packet from 192.168.1.1 and drops the packet because it has no reference to that machine, only to the w.x.y.z IP address. So the connection is never made.

6. Use SNAT between the local machines and the internal 192.168.1.1:4444 machine as you would when the internal users browse the internet and you masquerade them. You have to masquerade them for the internal server too.

iptables -A POSTROUTING -p tcp --dport 4444 -s 192.168.1.0/24 -d 192.168.1.1 -j SNAT $FIREWALLINTERNALIP

The above rule should fix that..

-----Original Message-----
From: Nejc Skoberne [mailto:nejc.skoberne@guest.arnes.si]
Sent: Tuesday, September 09, 2003 12:40 AM
To: netfilter@lists.netfilter.org
Subject: DNAT


Hi.

I have a problem with DNAT. I want to set up portforwarding. In local
network I have two servers and workstations. One (main) server is listening
at some port, let's say 4444. The other one also acts like a gateway
to internet and I set up a portforwarding like this:

iptables -A PREROUTING -p tcp --dport 4444 -j DNAT --to 192.168.1.1:4444

where 192.168.1.1 is the IP of the main server which runs the service.
If I try to connect from outside, everything works fine. If I try to
connect from one of workstations to the gateway machine to port 4444,
nothing happens. tcpdumps shows just requests but no answers. Why
doesnt DNAT work also for local IP addresses?

Thanks.

-- 
Nejc Skoberne
Grajska 5
SI-5220 Tolmin
E-mail: nejc.skoberne@guest.arnes.si

DNAT

[Nejc Skoberne]

Hi.

I have a problem with DNAT. I want to set up portforwarding. In local
network I have two servers and workstations. One (main) server is listening
at some port, let's say 4444. The other one also acts like a gateway
to internet and I set up a portforwarding like this:

iptables -A PREROUTING -p tcp --dport 4444 -j DNAT --to 192.168.1.1:4444

where 192.168.1.1 is the IP of the main server which runs the service.
If I try to connect from outside, everything works fine. If I try to
connect from one of workstations to the gateway machine to port 4444,
nothing happens. tcpdumps shows just requests but no answers. Why
doesnt DNAT work also for local IP addresses?

Thanks.

-- 
Nejc Skoberne
Grajska 5
SI-5220 Tolmin
E-mail: nejc.skoberne@guest.arnes.si

Re: DNAT

[Jim Carter]

On Mon, 8 Sep 2003, Nejc Skoberne wrote:
> I have a problem with DNAT. I want to set up portforwarding. In local
> network I have two servers and workstations. One (main) server is listening
> at some port, let's say 4444. The other one also acts like a gateway
> to internet and I set up a portforwarding like this:
>
> iptables -A PREROUTING -p tcp --dport 4444 -j DNAT --to 192.168.1.1:4444
>
> where 192.168.1.1 is the IP of the main server which runs the service.
> If I try to connect from outside, everything works fine. If I try to
> connect from one of workstations to the gateway machine to port 4444,
> nothing happens. tcpdumps shows just requests but no answers. Why
> doesnt DNAT work also for local IP addresses?

I'm assuming that the internal client has an address like 192.168.1.x.
Generally if a packet goes out the same interface it came in, that
indicates that something nasty is going on, but in your case "that's not a
bug, that's a feature".  I seem to remember a specific prohibition against
mirror-style routing (maybe for a different OS), but I looked in
/usr/src/linux/Documentation/filesystems/proc.txt and failed to find where
it could be enabled and disabled.

Can someone comment on whether this prohibition is present in Linux, and
how to configure it?

James F. Carter          Voice 310 825 2897    FAX 310 206 6673
UCLA-Mathnet;  6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
Email: jimc@math.ucla.edu  http://www.math.ucla.edu/~jimc (q.v. for PGP key)

Re: DNAT

[Nejc Skoberne]

Hi.

>> I have a problem with DNAT. I want to set up portforwarding. In local
>> network I have two servers and workstations. One (main) server is listening
>> at some port, let's say 4444. The other one also acts like a gateway
>> to internet and I set up a portforwarding like this:
>>
>> iptables -A PREROUTING -p tcp --dport 4444 -j DNAT --to 192.168.1.1:4444
>>
>> where 192.168.1.1 is the IP of the main server which runs the service.
>> If I try to connect from outside, everything works fine. If I try to
>> connect from one of workstations to the gateway machine to port 4444,
>> nothing happens. tcpdumps shows just requests but no answers. Why
>> doesnt DNAT work also for local IP addresses?

> I'm assuming that the internal client has an address like 192.168.1.x.

Exactly.

> Generally if a packet goes out the same interface it came in, that
> indicates that something nasty is going on, but in your case "that's not a
> bug, that's a feature".  I seem to remember a specific prohibition against
> mirror-style routing (maybe for a different OS), but I looked in
> /usr/src/linux/Documentation/filesystems/proc.txt and failed to find where
> it could be enabled and disabled.

> Can someone comment on whether this prohibition is present in Linux, and
> how to configure it?

I would really appreciate it. Thanks, Jim!

-- 
Nejc Skoberne
Grajska 5
SI-5220 Tolmin
E-mail: nejc.skoberne@guest.arnes.si

DNAT

[Mattia Martinello]

Hi all

I created a script that setup a set of rules on the nat table.
It works good without any problem on SuSE 8.0, and now I wish to move 
the system on Debian.
I installed Debian and I set the network correctly like on SuSE and I 
copied the script on it.
The scripts shows me no error, and the rules works good, but there is a 
little problem.
The DNATs from the local network works very well (I can see the server 
which is on the DMZ from the local network), but the DNATs from the 
Internet doesn't work! From the Internet (ppp0) i cannot see the server 
which is on the DMZ.
On SuSE 8.0 all works good and I didn't change anything in the script!
The input, output and forward chains are all setted on ACCEPT, like all 
the chains on the nat table.

This works good:
iptables -t nat -A POSTROUTING -s $LocalNET/24 -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s $LocalNET/24 -o ppp0 -j ACCEPT
iptables -t nat -A POSTROUTING -s $LocalNET/255.255.255.0 -o eth2 -j 
MASQUERADE
iptables -t nat -A PREROUTING -p tcp -i eth1 -d $PublicIP -j DNAT --to 
$ServerIP

This DOESN'T work! :(
iptables -t nat -A PREROUTING -p tcp -i ppp0 -d $PublicIP --dport 80 -j 
DNAT --to $ServerIP:80

The kernel in use is 2.4.20 with all netfilter modules.

Where could be the problem?

Thank you very much!
Bye
Mattia.

DNAT

[Alexandru Coseru]

[-- Attachment #1: Type: text/plain, Size: 292 bytes --]

hello.. I have the folowing problem...  I have a linux gateway with the external IP x.x.x.x  and internal Ip 192.168.0.1.    I want to make a DNAT and mask a conection from the external IP , forwarded to one of my lan's computer , and the lan computer to see it as 192.168.0.1 , not x.x.x.x

[-- Attachment #2: Type: text/html, Size: 633 bytes --]

DNAT

[Justin Kay]

When using a linux box to DNAT to some other boxes in a private address
space, do you need to alias all of the public ip addresses that you will be
doing DNAT for on the linux box?

internet--->208.224.51.10 (LINUX PUB IP FAKE) Linux/DNAT---> 10.10.20.15
other box
	    208.224.51.11 (alias used for other box)  IS THIS NEEDED in
order for it to work?	


Justin