From mboxrd@z Thu Jan  1 00:00:00 1970
From: Balazs Fulop <balazs.fulop@initon.com>
Subject: DNAT not working
Date: Fri, 22 Dec 2006 16:03:30 +0100
Message-ID: <458BF3C2.4050700@initon.com>
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Return-path: <netfilter-bounces@lists.netfilter.org>
List-Id: <netfilter.vger.kernel.org>
List-Unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>,
	<mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
List-Archive: </pipermail/netfilter>
List-Post: <mailto:netfilter@lists.netfilter.org>
List-Help: <mailto:netfilter-request@lists.netfilter.org?subject=help>
List-Subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>,
	<mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
Sender: netfilter-bounces@lists.netfilter.org
Errors-To: netfilter-bounces@lists.netfilter.org
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
To: netfilter@lists.netfilter.org

Dear List!

I have the following setup:
eth0 (WAN, with multiple alias IPs), eth1 (LAN1), eth2 (LAN2), eth3 (LAN3=
)

I would like to setup DNAT, in order to achieve the following:
packets coming from eth0 to a certain IP and tcp port get NATed to an IP=20
and port for a machine on one of the LAN subnets

I have read the relevant HOWTO and made the following setup:
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use=20
Iface
aaa.bbb.ccc.ddd   0.0.0.0         255.255.255.248 U     0      0       =20
0 eth0
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 e=
th3
192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        0 e=
th2
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 e=
th1
0.0.0.0         aaa.bbb.ccc.eee   0.0.0.0         UG    0      0       =20
0 eth0
# cat /var/lib/iptables/testing
# Generated by iptables-save v1.3.5 on Fri Dec 22 14:23:36 2006
*mangle
:PREROUTING ACCEPT [1804:164934]
:INPUT ACCEPT [1576:145710]
:FORWARD ACCEPT [208:12864]
:OUTPUT ACCEPT [988:111965]
:POSTROUTING ACCEPT [1239:130436]
COMMIT
# Completed on Fri Dec 22 14:23:36 2006
# Generated by iptables-save v1.3.5 on Fri Dec 22 14:23:36 2006
*nat
:PREROUTING ACCEPT [58:10171]
:POSTROUTING ACCEPT [13:1459]
:OUTPUT ACCEPT [13:1459]
-A PREROUTING -d aaa.bbb.ccc.fff -i eth0 -p tcp -m tcp --dport 25 -j=20
DNAT --to-destination 192.168.3.1
-A PREROUTING -j LOG --log-prefix "PREROUTING: " --log-level 7
COMMIT
# Completed on Fri Dec 22 14:23:36 2006
# Generated by iptables-save v1.3.5 on Fri Dec 22 14:23:36 2006
*filter
:INPUT ACCEPT [1576:145710]
:FORWARD ACCEPT [208:12864]
:OUTPUT ACCEPT [988:111965]
-A FORWARD -d 192.168.3.1 -i eth0 -o eth1 -p tcp -m tcp --dport 25 -j=20
ACCEPT
-A FORWARD -j LOG --log-prefix "FORWARD: " --log-level 7
COMMIT
# Completed on Fri Dec 22 14:23:36 2006

If I telnet 192.168.3.1 25 on the firewall, an SMTP session starts. If I=20
telnet from outside (coming on eth0), it waits until timeout. I just=20
can't figure out why it is not working. At last I removed all the IP=20
aliases, and it didn't work that way either. There is nothing relevant=20
in /var/log/syslog. I have 1 in /proc/sys/net/ipv4/ip_forward.

Please help. Thanks in advance.

Yours sincerely,
    F=FCl=F6p Bal=E1zs