NAT PREROUTING vs. filter FORWARD

All of lore.kernel.org
 help / color / mirror / Atom feed

* NAT PREROUTING vs. filter FORWARD
@ 2006-10-19 18:25 Mike
  2006-10-19 18:27 ` Mike
                   ` (3 more replies)
  0 siblings, 4 replies; 7+ messages in thread
From: Mike @ 2006-10-19 18:25 UTC (permalink / raw)
  To: netfilter

I'm having difficulty with clients connecting to a game I'm hosting
over the internet.
So I'm wondering if my PREROUTING rule is conflicting with my FORWARD rule.

If I have these prerouting rules:

 $IPTABLES -t nat -A PREROUTING -p tcp --dport 34297 -i ppp0 -j DNAT
--to-destination 192.168.170.6
$IPTABLES -t nat -A PREROUTING -p udp --dport 34297 -i ppp0 -j DNAT
--to-destination 192.168.170.6
$IPTABLES -t nat -A PREROUTING -p tcp --dport 34397 -i ppp0 -j DNAT
--to-destination 192.168.170.6
$IPTABLES -t nat -A PREROUTING -p udp --dport 34397 -i ppp0 -j DNAT
--to-destination 192.168.170.6
$IPTABLES -t nat -A PREROUTING -p tcp --dport 34447 -i ppp0 -j DNAT
--to-destination 192.168.170.6
$IPTABLES -t nat -A PREROUTING -p udp --dport 34447 -i ppp0 -j DNAT
--to-destination 192.168.170.6

Then I should not have to worry about these FORWARD rules interfering
with the prerouted data getting to the server at 192.168.170.6 ---

$IPTABLES -t filter -A FORWARD -i ppp0 -o eth1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t filter -A FORWARD -i ppp0 -o eth2 -m state --state
ESTABLISHED,RELATED -j ACCEPT

Am I right or wrong?
If wrong, is the only way then to change the FORWARD rule to -j ACCEPT
and leave out the ESTABLISHED,RELATED requirement?

Thanks for your time and assistance.

Mike

On 10/19/06, tarak@ossindia.com <tarak@ossindia.com> wrote:
> hello experts,
>
>               i have a problem in iptables, i want to customize the
> firewall. through iptable i want run a shell script which will keep an
> watch
> on each and every ip addresses in my organization, that how much amount
> of
> data downloading and uploading from those ip addresses...... seperately..
> is
> this possible to do,,,, if so please tell me how to do...
>
> thanks in advance
>
> Regards,
> Tarak Ranjan
>
>
>


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: NAT PREROUTING vs. filter FORWARD
  2006-10-19 18:25 NAT PREROUTING vs. filter FORWARD Mike
@ 2006-10-19 18:27 ` Mike
  2006-10-20  5:32 ` Jasbir Khehra
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 7+ messages in thread
From: Mike @ 2006-10-19 18:27 UTC (permalink / raw)
  To: netfilter

Sorry for the quoted text from another thread.
Accidentally copied it and did not realize before I hit Send.  :-(


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: NAT PREROUTING vs. filter FORWARD
  2006-10-19 18:25 NAT PREROUTING vs. filter FORWARD Mike
  2006-10-19 18:27 ` Mike
@ 2006-10-20  5:32 ` Jasbir Khehra
  2006-10-20 13:36   ` Mike
  2006-10-20 15:14 ` Martijn Lievaart
       [not found] ` <4429765974127559812@unknownmsgid>
  3 siblings, 1 reply; 7+ messages in thread
From: Jasbir Khehra @ 2006-10-20  5:32 UTC (permalink / raw)
  To: Mike; +Cc: netfilter

Mike wrote:

> I'm having difficulty with clients connecting to a game I'm hosting
> over the internet.
> So I'm wondering if my PREROUTING rule is conflicting with my FORWARD 
> rule.
>
>
> Then I should not have to worry about these FORWARD rules interfering
> with the prerouted data getting to the server at 192.168.170.6 ---
>
> $IPTABLES -t filter -A FORWARD -i ppp0 -o eth1 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -t filter -A FORWARD -i ppp0 -o eth2 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> Am I right or wrong?
> If wrong, is the only way then to change the FORWARD rule to -j ACCEPT
> and leave out the ESTABLISHED,RELATED requirement?

You just missing out on the rule to accept NEW state connections on your 
game ports
$IPTABLES -t filter -A FORWARD -i ppp0  -m state --state NEW -p tcp -m 
multiport --dports 34297,34397,34447  -j ACCEPT
Same rule for udp connections.

>
> Thanks for your time and assistance.
>
> Mike 

HTH,
Jasbir


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: NAT PREROUTING vs. filter FORWARD
  2006-10-20  5:32 ` Jasbir Khehra
@ 2006-10-20 13:36   ` Mike
  0 siblings, 0 replies; 7+ messages in thread
From: Mike @ 2006-10-20 13:36 UTC (permalink / raw)
  To: jasbir.k; +Cc: netfilter

Thank you Jasbir!
I forgot about NEW option.
I will try later today and see if it makes success.
I appreciate your help.
Mike

On 10/20/06, Jasbir Khehra <jasbir.k@gmail.com> wrote:
> Mike wrote:
>
> > I'm having difficulty with clients connecting to a game I'm hosting
> > over the internet.
> > So I'm wondering if my PREROUTING rule is conflicting with my FORWARD
> > rule.
> >
> >
> > Then I should not have to worry about these FORWARD rules interfering
> > with the prerouted data getting to the server at 192.168.170.6 ---
> >
> > $IPTABLES -t filter -A FORWARD -i ppp0 -o eth1 -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -t filter -A FORWARD -i ppp0 -o eth2 -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> >
> > Am I right or wrong?
> > If wrong, is the only way then to change the FORWARD rule to -j ACCEPT
> > and leave out the ESTABLISHED,RELATED requirement?
>
> You just missing out on the rule to accept NEW state connections on your
> game ports
> $IPTABLES -t filter -A FORWARD -i ppp0  -m state --state NEW -p tcp -m
> multiport --dports 34297,34397,34447  -j ACCEPT
> Same rule for udp connections.
>
> >
> > Thanks for your time and assistance.
> >
> > Mike
>
> HTH,
> Jasbir
>


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: NAT PREROUTING vs. filter FORWARD
  2006-10-19 18:25 NAT PREROUTING vs. filter FORWARD Mike
  2006-10-19 18:27 ` Mike
  2006-10-20  5:32 ` Jasbir Khehra
@ 2006-10-20 15:14 ` Martijn Lievaart
       [not found] ` <4429765974127559812@unknownmsgid>
  3 siblings, 0 replies; 7+ messages in thread
From: Martijn Lievaart @ 2006-10-20 15:14 UTC (permalink / raw)
  To: Mike; +Cc: netfilter

<citaat van="Mike">
> I'm having difficulty with clients connecting to a game I'm hosting
> over the internet.
> So I'm wondering if my PREROUTING rule is conflicting with my FORWARD
> rule.
>
> If I have these prerouting rules:
>
>  $IPTABLES -t nat -A PREROUTING -p tcp --dport 34297 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
> $IPTABLES -t nat -A PREROUTING -p udp --dport 34297 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 34397 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
> $IPTABLES -t nat -A PREROUTING -p udp --dport 34397 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
> $IPTABLES -t nat -A PREROUTING -p tcp --dport 34447 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
> $IPTABLES -t nat -A PREROUTING -p udp --dport 34447 -i ppp0 -j DNAT
> --to-destination 192.168.170.6
>
> Then I should not have to worry about these FORWARD rules interfering
> with the prerouted data getting to the server at 192.168.170.6 ---
>
> $IPTABLES -t filter -A FORWARD -i ppp0 -o eth1 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -t filter -A FORWARD -i ppp0 -o eth2 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> Am I right or wrong?
> If wrong, is the only way then to change the FORWARD rule to -j ACCEPT
> and leave out the ESTABLISHED,RELATED requirement?
`
You have to ACCEPT these packets in your forward chain. What I generally
do (but I generate this with a script) is to duplicate the rules in
PREROUTING, once with -j MARK and once with -j DNAT, In FORWARD I then use
--mark to accept those DNATted connections all in one rule.

HTH,
M4



^ permalink raw reply	[flat|nested] 7+ messages in thread

[parent not found: <4429765974127559812@unknownmsgid>]

* Re: NAT PREROUTING vs. filter FORWARD
       [not found] ` <4429765974127559812@unknownmsgid>
@ 2006-10-20 17:04   ` Mike
  2006-10-21  6:46     ` Martijn Lievaart
  0 siblings, 1 reply; 7+ messages in thread
From: Mike @ 2006-10-20 17:04 UTC (permalink / raw)
  To: Martijn Lievaart; +Cc: netfilter

Martijn,
The sciprt idea sounds quite clever and efficient!
I would be very interested to see your method by script, if it is not
a security risk, etc.
Thank you very much for your response and idea.
Mike

On 10/20/06, Martijn Lievaart <m@rtij.nl> wrote:
> <citaat van="Mike">
> > I'm having difficulty with clients connecting to a game I'm hosting
> > over the internet.
> > So I'm wondering if my PREROUTING rule is conflicting with my FORWARD
> > rule.
> >
> > If I have these prerouting rules:
> >
> >  $IPTABLES -t nat -A PREROUTING -p tcp --dport 34297 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> > $IPTABLES -t nat -A PREROUTING -p udp --dport 34297 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> > $IPTABLES -t nat -A PREROUTING -p tcp --dport 34397 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> > $IPTABLES -t nat -A PREROUTING -p udp --dport 34397 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> > $IPTABLES -t nat -A PREROUTING -p tcp --dport 34447 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> > $IPTABLES -t nat -A PREROUTING -p udp --dport 34447 -i ppp0 -j DNAT
> > --to-destination 192.168.170.6
> >
> > Then I should not have to worry about these FORWARD rules interfering
> > with the prerouted data getting to the server at 192.168.170.6 ---
> >
> > $IPTABLES -t filter -A FORWARD -i ppp0 -o eth1 -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -t filter -A FORWARD -i ppp0 -o eth2 -m state --state
> > ESTABLISHED,RELATED -j ACCEPT
> >
> > Am I right or wrong?
> > If wrong, is the only way then to change the FORWARD rule to -j ACCEPT
> > and leave out the ESTABLISHED,RELATED requirement?
> `
> You have to ACCEPT these packets in your forward chain. What I generally
> do (but I generate this with a script) is to duplicate the rules in
> PREROUTING, once with -j MARK and once with -j DNAT, In FORWARD I then use
> --mark to accept those DNATted connections all in one rule.
>
> HTH,
> M4
>
>


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: NAT PREROUTING vs. filter FORWARD
  2006-10-20 17:04   ` Mike
@ 2006-10-21  6:46     ` Martijn Lievaart
  0 siblings, 0 replies; 7+ messages in thread
From: Martijn Lievaart @ 2006-10-21  6:46 UTC (permalink / raw)
  To: Mike; +Cc: netfilter

Mike wrote:

> Martijn,
> The sciprt idea sounds quite clever and efficient!
> I would be very interested to see your method by script, if it is not
> a security risk, etc.
> Thank you very much for your response and idea.


It is pretty efficient. I write my firewall rules in perl. The loader 
executes this script and pipes the output into iptables-restore. It is 
not in a stage that I want to release it to the world yet, however.

M4


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2006-10-21  6:46 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-19 18:25 NAT PREROUTING vs. filter FORWARD Mike
2006-10-19 18:27 ` Mike
2006-10-20  5:32 ` Jasbir Khehra
2006-10-20 13:36   ` Mike
2006-10-20 15:14 ` Martijn Lievaart
     [not found] ` <4429765974127559812@unknownmsgid>
2006-10-20 17:04   ` Mike
2006-10-21  6:46     ` Martijn Lievaart

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.