From mboxrd@z Thu Jan 1 00:00:00 1970 From: Justin Kay Subject: DNAT Date: Thu, 12 Dec 2002 11:00:55 -0700 Sender: netfilter-admin@lists.netfilter.org Message-ID: <11FE00AA8C43D311ABE3000629B0CB481398F3@DBSISERVER> Mime-Version: 1.0 Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: "Netfilter (E-mail)" When using a linux box to DNAT to some other boxes in a private address space, do you need to alias all of the public ip addresses that you will be doing DNAT for on the linux box? internet--->208.224.51.10 (LINUX PUB IP FAKE) Linux/DNAT---> 10.10.20.15 other box 208.224.51.11 (alias used for other box) IS THIS NEEDED in order for it to work? Justin From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Alexandru Coseru" Subject: DNAT Date: Sun, 30 Mar 2003 17:30:29 +0300 Sender: netfilter-admin@lists.netfilter.org Message-ID: <000801c2f6c8$f128f300$0200a8c0@lynx> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0005_01C2F6E2.0F5D4DD0" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This is a multi-part message in MIME format. ------=_NextPart_000_0005_01C2F6E2.0F5D4DD0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable hello.. I have the folowing problem... I have a linux gateway with the = external IP x.x.x.x and internal Ip 192.168.0.1. I want to make a = DNAT and mask a conection from the external IP , forwarded to one of my = lan's computer , and the lan computer to see it as 192.168.0.1 , not = x.x.x.x ------=_NextPart_000_0005_01C2F6E2.0F5D4DD0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

hello.. I have the folowing = problem... I have=20 a linux gateway with the external IP x.x.x.x and internal Ip=20 192.168.0.1. I want to make a DNAT and mask a = conection from=20 the external IP , forwarded to one of my lan's computer , and the lan = computer=20 to see it as 192.168.0.1 , not x.x.x.x

------=_NextPart_000_0005_01C2F6E2.0F5D4DD0-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mattia Martinello Subject: DNAT Date: Fri, 29 Aug 2003 00:57:33 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3F4E88DD.6060704@mattiamartinello.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org Hi all I created a script that setup a set of rules on the nat table. It works good without any problem on SuSE 8.0, and now I wish to move the system on Debian. I installed Debian and I set the network correctly like on SuSE and I copied the script on it. The scripts shows me no error, and the rules works good, but there is a little problem. The DNATs from the local network works very well (I can see the server which is on the DMZ from the local network), but the DNATs from the Internet doesn't work! From the Internet (ppp0) i cannot see the server which is on the DMZ. On SuSE 8.0 all works good and I didn't change anything in the script! The input, output and forward chains are all setted on ACCEPT, like all the chains on the nat table. This works good: iptables -t nat -A POSTROUTING -s $LocalNET/24 -o ppp0 -j MASQUERADE iptables -t nat -A POSTROUTING -s $LocalNET/24 -o ppp0 -j ACCEPT iptables -t nat -A POSTROUTING -s $LocalNET/255.255.255.0 -o eth2 -j MASQUERADE iptables -t nat -A PREROUTING -p tcp -i eth1 -d $PublicIP -j DNAT --to $ServerIP This DOESN'T work! :( iptables -t nat -A PREROUTING -p tcp -i ppp0 -d $PublicIP --dport 80 -j DNAT --to $ServerIP:80 The kernel in use is 2.4.20 with all netfilter modules. Where could be the problem? Thank you very much! Bye Mattia. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Nejc Skoberne Subject: DNAT Date: Mon, 8 Sep 2003 16:40:15 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <19331451164.20030908164015@guest.arnes.si> Reply-To: Nejc Skoberne Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Hi. I have a problem with DNAT. I want to set up portforwarding. In local network I have two servers and workstations. One (main) server is listening at some port, let's say 4444. The other one also acts like a gateway to internet and I set up a portforwarding like this: iptables -A PREROUTING -p tcp --dport 4444 -j DNAT --to 192.168.1.1:4444 where 192.168.1.1 is the IP of the main server which runs the service. If I try to connect from outside, everything works fine. If I try to connect from one of workstations to the gateway machine to port 4444, nothing happens. tcpdumps shows just requests but no answers. Why doesnt DNAT work also for local IP addresses? Thanks. -- Nejc Skoberne Grajska 5 SI-5220 Tolmin E-mail: nejc.skoberne@guest.arnes.si From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jim Carter Subject: Re: DNAT Date: Mon, 8 Sep 2003 15:20:01 -0700 (PDT) Sender: netfilter-admin@lists.netfilter.org Message-ID: References: <19331451164.20030908164015@guest.arnes.si> Mime-Version: 1.0 Return-path: In-Reply-To: <19331451164.20030908164015@guest.arnes.si> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: TEXT/PLAIN; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Nejc Skoberne Cc: netfilter@lists.netfilter.org On Mon, 8 Sep 2003, Nejc Skoberne wrote: > I have a problem with DNAT. I want to set up portforwarding. In local > network I have two servers and workstations. One (main) server is listening > at some port, let's say 4444. The other one also acts like a gateway > to internet and I set up a portforwarding like this: > > iptables -A PREROUTING -p tcp --dport 4444 -j DNAT --to 192.168.1.1:4444 > > where 192.168.1.1 is the IP of the main server which runs the service. > If I try to connect from outside, everything works fine. If I try to > connect from one of workstations to the gateway machine to port 4444, > nothing happens. tcpdumps shows just requests but no answers. Why > doesnt DNAT work also for local IP addresses? I'm assuming that the internal client has an address like 192.168.1.x. Generally if a packet goes out the same interface it came in, that indicates that something nasty is going on, but in your case "that's not a bug, that's a feature". I seem to remember a specific prohibition against mirror-style routing (maybe for a different OS), but I looked in /usr/src/linux/Documentation/filesystems/proc.txt and failed to find where it could be enabled and disabled. Can someone comment on whether this prohibition is present in Linux, and how to configure it? James F. Carter Voice 310 825 2897 FAX 310 206 6673 UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555 Email: jimc@math.ucla.edu http://www.math.ucla.edu/~jimc (q.v. for PGP key) From mboxrd@z Thu Jan 1 00:00:00 1970 From: Nejc Skoberne Subject: Re: DNAT Date: Tue, 9 Sep 2003 00:31:31 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <11659726692.20030909003131@guest.arnes.si> References: <19331451164.20030908164015@guest.arnes.si> Reply-To: Nejc Skoberne Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Hi. >> I have a problem with DNAT. I want to set up portforwarding. In local >> network I have two servers and workstations. One (main) server is listening >> at some port, let's say 4444. The other one also acts like a gateway >> to internet and I set up a portforwarding like this: >> >> iptables -A PREROUTING -p tcp --dport 4444 -j DNAT --to 192.168.1.1:4444 >> >> where 192.168.1.1 is the IP of the main server which runs the service. >> If I try to connect from outside, everything works fine. If I try to >> connect from one of workstations to the gateway machine to port 4444, >> nothing happens. tcpdumps shows just requests but no answers. Why >> doesnt DNAT work also for local IP addresses? > I'm assuming that the internal client has an address like 192.168.1.x. Exactly. > Generally if a packet goes out the same interface it came in, that > indicates that something nasty is going on, but in your case "that's not a > bug, that's a feature". I seem to remember a specific prohibition against > mirror-style routing (maybe for a different OS), but I looked in > /usr/src/linux/Documentation/filesystems/proc.txt and failed to find where > it could be enabled and disabled. > Can someone comment on whether this prohibition is present in Linux, and > how to configure it? I would really appreciate it. Thanks, Jim! -- Nejc Skoberne Grajska 5 SI-5220 Tolmin E-mail: nejc.skoberne@guest.arnes.si From mboxrd@z Thu Jan 1 00:00:00 1970 From: "George Vieira" Subject: RE: DNAT Date: Tue, 9 Sep 2003 08:48:50 +1000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <09B04A55822EFF4DA48D2E0BB2941D4A15C275@wardrive.citadelcomputer.com.au> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: content-class: urn:content-classes:message Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: Nejc Skoberne , netfilter@lists.netfilter.org This is a typical problem which gets asked over and over again. If you = think about it carefully, you'll understand why this doesn't work. Explained: 1. Your internal tries to access the server on it's external address. 2. The firewall DNATs it changing it's external address to the internal = server address. 3. The packet arrives at the destination of 192.168.1.1 4. The Server responses to the SYN and "sends it back to 192.168.1.X = DIRECTLY" 5. The client machine receives a packet from 192.168.1.1 and drops the = packet because it has no reference to that machine, only to the w.x.y.z = IP address. So the connection is never made. 6. Use SNAT between the local machines and the internal 192.168.1.1:4444 = machine as you would when the internal users browse the internet and you = masquerade them. You have to masquerade them for the internal server = too. iptables -A POSTROUTING -p tcp --dport 4444 -s 192.168.1.0/24 -d = 192.168.1.1 -j SNAT $FIREWALLINTERNALIP The above rule should fix that.. -----Original Message----- From: Nejc Skoberne [mailto:nejc.skoberne@guest.arnes.si] Sent: Tuesday, September 09, 2003 12:40 AM To: netfilter@lists.netfilter.org Subject: DNAT Hi. I have a problem with DNAT. I want to set up portforwarding. In local network I have two servers and workstations. One (main) server is = listening at some port, let's say 4444. The other one also acts like a gateway to internet and I set up a portforwarding like this: iptables -A PREROUTING -p tcp --dport 4444 -j DNAT --to 192.168.1.1:4444 where 192.168.1.1 is the IP of the main server which runs the service. If I try to connect from outside, everything works fine. If I try to connect from one of workstations to the gateway machine to port 4444, nothing happens. tcpdumps shows just requests but no answers. Why doesnt DNAT work also for local IP addresses? Thanks. --=20 Nejc Skoberne Grajska 5 SI-5220 Tolmin E-mail: nejc.skoberne@guest.arnes.si From mboxrd@z Thu Jan 1 00:00:00 1970 From: Payal Rathod Subject: DNAT Date: Tue, 26 Oct 2004 06:20:23 -0400 Sender: netfilter-bounces@lists.netfilter.org Message-ID: <20041026102023.GA7941@tranquility.scriptkitchen.com> Mime-Version: 1.0 Return-path: Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Netfilter ML Hi, I want to access my internal machine from outside. But I am unable to do so. I tried, # iptables -t nat -I PREROUTING -d -p tcp --dport 8081 -j DNAT --to-destination 192.168.0.16:80 # iptables -I INPUT -p tcp --dport 8081 -j ACCEPT # iptables -I FORWARD -s 192.168.0.16 -j ACCEPT I know these are very crude but they are simple to start with. Also, once I get one more public IP from my ISP, I will NAT it to the internal machine. Can anyone give pointers on this and above to why it is not working? If this is right, is it possible that my ISP might be blocking traffic from outside to ports other than the few. With warm regards, -Payal From mboxrd@z Thu Jan 1 00:00:00 1970 From: Primero Subject: Re: DNAT Date: Tue, 26 Oct 2004 12:30:33 +0200 Sender: netfilter-bounces@lists.netfilter.org Message-ID: <417E2749.2020900@fastwebnet.it> References: <20041026102023.GA7941@tranquility.scriptkitchen.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigB4EF95143E001B600896E55E" Return-path: In-Reply-To: <20041026102023.GA7941@tranquility.scriptkitchen.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: netfilter-bounces@lists.netfilter.org To: Payal Rathod Cc: Netfilter ML This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigB4EF95143E001B600896E55E Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Payal Rathod wrote: >Hi, >I want to access my internal machine from outside. But I am unable to do >so. I tried, ># iptables -t nat -I PREROUTING -d -p tcp --dport >8081 -j DNAT --to-destination 192.168.0.16:80 ># iptables -I INPUT -p tcp --dport 8081 -j ACCEPT > > the one above is useless because the INPUT chain in this case is not traversed. ># iptables -I FORWARD -s 192.168.0.16 -j ACCEPT > > This one is the one u need ... but u have to make the check on destination and not on source so #iptables -I FORWARD -d 192.168.0.16 -j ACCEPT >With warm regards, >-Payal > > > bye :) -- --------------------------------------- ####################################### "Linux, the choice of a GNU generation" ==Micro$oft - just say NO== ####################################### --------------------------------------- --------------enigB4EF95143E001B600896E55E Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBfidMOGoQ6Fir3nYRAkKbAJ0VKFv18wTCpr+wCB+sok8fOtSqdgCfSb1w 1LSzCsJrjnueoUZgzsK03GU= =uG3F -----END PGP SIGNATURE----- --------------enigB4EF95143E001B600896E55E-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Payal Rathod Subject: DNAT Date: Tue, 26 Oct 2004 03:39:30 -0400 Sender: netfilter-bounces@lists.netfilter.org Message-ID: <20041026073930.GA3574@tranquility.scriptkitchen.com> Mime-Version: 1.0 Return-path: Content-Disposition: inline List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Netfilter ML Hi, I want to access my internal machine from outside. But I am unable to do so. I tried, # iptables -t nat -I PREROUTING -d -p tcp --dport 8081 -j DNAT --to-destination 192.168.0.16:80 # iptables -I INPUT -p tcp --dport 8081 -j ACCEPT # iptables -I FORWARD -s 192.168.0.16 -j ACCEPT I know these are very crude but they are simple to start with. Also, once I get one more public IP from my ISP, I will NAT it to the internal machine. Can anyone give pointers on this and above to why it is not working? If this is right, is it possible that my ISP might be blocking traffic from outside to ports other than the few. With warm regards, -Payal From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason Opperisano Subject: Re: DNAT Date: Tue, 26 Oct 2004 08:42:14 -0400 Sender: netfilter-bounces@lists.netfilter.org Message-ID: <1098794534.5877.32.camel@hubcap.ljm.dom> References: <20041026102023.GA7941@tranquility.scriptkitchen.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20041026102023.GA7941@tranquility.scriptkitchen.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Tue, 2004-10-26 at 06:20, Payal Rathod wrote: > Hi, > I want to access my internal machine from outside. But I am unable to do > so. I tried, > # iptables -t nat -I PREROUTING -d -p tcp --dport > 8081 -j DNAT --to-destination 192.168.0.16:80 that looks ok...keep in mind you'll need to go to: http://:8081 to hit the server from the outside > # iptables -I INPUT -p tcp --dport 8081 -j ACCEPT nope--try: iptables -A FORWARD -p tcp -d 192.168.0.16 --dport 80 -j ACCEPT once PREROUTING is traversed--the packet is forever changed from the perspective of all remaining chains. > # iptables -I FORWARD -s 192.168.0.16 -j ACCEPT i guess the point of that is to allow the replies back? ok, i guess... -j -- Jason Opperisano From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kai Hendry Subject: DNAT Date: Tue, 19 Jul 2005 12:01:22 +1000 Message-ID: <42DC5EF2.8060002@soltecsoftware.com.au> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="us-ascii"; format="flowed" To: netfilter@lists.netfilter.org I have three machines: 192.168.0.1 192.168.0.3 192.168.0.9 On 9 there is service running on port 1199 that I want clients (at 3) to use from 1. With SSH I can get this working from 1 with clients at 1 with: ssh -L 1199:localhost:1199 192.168.0.9 Thought telnet localhost 1199 only works, not telnet 192.168.0.1 1199 Anyway, I don't need encryption. DNAT is what I've been told I need so: http://netfilter.org/documentation/HOWTO//NAT-HOWTO-10.html $ cat i.sh sudo /sbin/iptables -t nat -F # This alone doesn't work sudo /sbin/iptables -t nat -A PREROUTING -p tcp --dport 1199 -i eth0 -j DNAT --to 192.168.0.9:1199 # I suspect something is wrong here: sudo /sbin/iptables -t nat -A POSTROUTING -p tcp --dport 1199 -j SNAT --to 192.168.0.1:1199 sudo /sbin/iptables -t nat -vnxL --line-numbers It just does not work when from 3: $ telnet 192.168.0.1 1199 Trying 192.168.0.1... Packets do show up: SOLTEC-HDSVR$ sudo /sbin/iptables -t nat -vnxL --line-numbers Chain PREROUTING (policy ACCEPT 6494 packets, 466878 bytes) num pkts bytes target prot opt in out source destination 1 4 240 DNAT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1199 to:192.168.0.9:1199 Chain POSTROUTING (policy ACCEPT 2102 packets, 388967 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2102 packets, 388967 bytes) num pkts bytes target prot opt in out source destination Though from 1 not at all: $ telnet 192.168.0.1 1199 Trying 192.168.0.1... telnet: Unable to connect to remote host: Connection refused What am I doing wrong?