* Struggling with NAT: is PREROUTING working at all?
@ 2006-07-19 14:25 Daniel Drake
2006-07-21 17:34 ` Martijn Lievaart
0 siblings, 1 reply; 3+ messages in thread
From: Daniel Drake @ 2006-07-19 14:25 UTC (permalink / raw)
To: netfilter
Hi,
I have a network setup of:
Internet
|
|
ADSL ROUTER
external IP 1.2.3.4
internal IP 192.168.1.1, runs DHCP server on this network
|
|
LINUX SYSTEM
'external' IP 192.168.1.200 (eth1)
internal IP 192.168.0.200 (eth0)
Runs SOCKS proxy
|
|
INTERNAL NETWORK
Various internal clients at 192.168.0.x
Internal clients use SOCKS proxy for internet access
Main server at 192.168.1.1 running DHCP daemon
In other words, I don't trust the router, so I have partitioned it off
in its own little network to the Linux system (192.168.1.x). I do not
run MASQ/NAT on the 192.168.0.x network, so the internal clients use the
socks proxy for external network access.
I have enabled DMZ mode on the router, but this isn't exactly what I
thought a DMZ was. It just means that all 'unknown' ports are forwarded
to the linux system - there is still some NAT going on between the
router and linux system.
Now, what I want is port forwarding between internet and internal: I
want to run a service on an internal machine and have it accessible to
the outside world, i.e. I want to forward 1.2.3.4:5678 to
192.168.0.32:9876 (TCP).
These are two separate networks only linked by the Linux system in the
middle, so I want to use this to perform the required translations. I've
successfully set up port forwarding on slightly less confusing networks
in the past, but I've spent several hours struggling on this one without
any luck.
The connections get through the router fine, but I'm having problems
where it seems PREROUTING doesn't take effect: I can accept the
connections on the Linux box (even when PREROUTING rules are in place).
I took a step back and re-read the iptables man page. It says that the
nat table is consulted whenever a new connection is about to be
established, and PREROUTING is used when packets come in, so I'd expect
this rule to give me a lot of output:
iptables -t nat -A PREROUTING -j LOG
But, I get nothing, even when successfully establishing a new connection
from the outside to the linux system. Logging is definitely working
since I can get logs from other rules.
No other rules are in place before this one, my script simply clears all
tables/chains, sets all policies to ACCEPT, then runs the above command.
Am I missing something, or PREROUTING not triggering when it should be?
Thanks,
Daniel
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Struggling with NAT: is PREROUTING working at all?
2006-07-19 14:25 Struggling with NAT: is PREROUTING working at all? Daniel Drake
@ 2006-07-21 17:34 ` Martijn Lievaart
2006-07-24 12:41 ` Sietse van Zanen
0 siblings, 1 reply; 3+ messages in thread
From: Martijn Lievaart @ 2006-07-21 17:34 UTC (permalink / raw)
To: Daniel Drake; +Cc: netfilter
Daniel Drake wrote:
> I took a step back and re-read the iptables man page. It says that the
> nat table is consulted whenever a new connection is about to be
> established, and PREROUTING is used when packets come in, so I'd
> expect this rule to give me a lot of output:
>
> iptables -t nat -A PREROUTING -j LOG
>
> But, I get nothing, even when successfully establishing a new
> connection from the outside to the linux system. Logging is definitely
> working since I can get logs from other rules.
>
> No other rules are in place before this one, my script simply clears
> all tables/chains, sets all policies to ACCEPT, then runs the above
> command.
>
> Am I missing something, or PREROUTING not triggering when it should be?
You may have hit a bug here. That should have worked. I never tried
LOGging from prerouting, but the NAT functionality definately works.
M4
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: Struggling with NAT: is PREROUTING working at all?
2006-07-21 17:34 ` Martijn Lievaart
@ 2006-07-24 12:41 ` Sietse van Zanen
0 siblings, 0 replies; 3+ messages in thread
From: Sietse van Zanen @ 2006-07-24 12:41 UTC (permalink / raw)
Cc: netfilter
Not a bug I think. You need to specify what to log. I don't think this rule will hit, as no parameters are specified.
Try something like this:
iptables -t nat -A PREROUTING -s 0.0.0.0/0 -j LOG
-Sietse
________________________________
From: netfilter-bounces@lists.netfilter.org on behalf of Martijn Lievaart
Sent: Fri 21-Jul-06 19:34
To: Daniel Drake
Cc: netfilter@lists.netfilter.org
Subject: Re: Struggling with NAT: is PREROUTING working at all?
Daniel Drake wrote:
> I took a step back and re-read the iptables man page. It says that the
> nat table is consulted whenever a new connection is about to be
> established, and PREROUTING is used when packets come in, so I'd
> expect this rule to give me a lot of output:
>
> iptables -t nat -A PREROUTING -j LOG
>
> But, I get nothing, even when successfully establishing a new
> connection from the outside to the linux system. Logging is definitely
> working since I can get logs from other rules.
>
> No other rules are in place before this one, my script simply clears
> all tables/chains, sets all policies to ACCEPT, then runs the above
> command.
>
> Am I missing something, or PREROUTING not triggering when it should be?
You may have hit a bug here. That should have worked. I never tried
LOGging from prerouting, but the NAT functionality definately works.
M4
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-07-24 12:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-07-19 14:25 Struggling with NAT: is PREROUTING working at all? Daniel Drake
2006-07-21 17:34 ` Martijn Lievaart
2006-07-24 12:41 ` Sietse van Zanen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.