DNAT not working

DNAT not working

[Balazs Fulop]

Dear List!

I have the following setup:
eth0 (WAN, with multiple alias IPs), eth1 (LAN1), eth2 (LAN2), eth3 (LAN3)

I would like to setup DNAT, in order to achieve the following:
packets coming from eth0 to a certain IP and tcp port get NATed to an IP 
and port for a machine on one of the LAN subnets

I have read the relevant HOWTO and made the following setup:
# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
aaa.bbb.ccc.ddd   0.0.0.0         255.255.255.248 U     0      0        
0 eth0
192.168.5.0     0.0.0.0         255.255.255.0   U     0      0        0 eth3
192.168.4.0     0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.3.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
0.0.0.0         aaa.bbb.ccc.eee   0.0.0.0         UG    0      0        
0 eth0
# cat /var/lib/iptables/testing
# Generated by iptables-save v1.3.5 on Fri Dec 22 14:23:36 2006
*mangle
:PREROUTING ACCEPT [1804:164934]
:INPUT ACCEPT [1576:145710]
:FORWARD ACCEPT [208:12864]
:OUTPUT ACCEPT [988:111965]
:POSTROUTING ACCEPT [1239:130436]
COMMIT
# Completed on Fri Dec 22 14:23:36 2006
# Generated by iptables-save v1.3.5 on Fri Dec 22 14:23:36 2006
*nat
:PREROUTING ACCEPT [58:10171]
:POSTROUTING ACCEPT [13:1459]
:OUTPUT ACCEPT [13:1459]
-A PREROUTING -d aaa.bbb.ccc.fff -i eth0 -p tcp -m tcp --dport 25 -j 
DNAT --to-destination 192.168.3.1
-A PREROUTING -j LOG --log-prefix "PREROUTING: " --log-level 7
COMMIT
# Completed on Fri Dec 22 14:23:36 2006
# Generated by iptables-save v1.3.5 on Fri Dec 22 14:23:36 2006
*filter
:INPUT ACCEPT [1576:145710]
:FORWARD ACCEPT [208:12864]
:OUTPUT ACCEPT [988:111965]
-A FORWARD -d 192.168.3.1 -i eth0 -o eth1 -p tcp -m tcp --dport 25 -j 
ACCEPT
-A FORWARD -j LOG --log-prefix "FORWARD: " --log-level 7
COMMIT
# Completed on Fri Dec 22 14:23:36 2006

If I telnet 192.168.3.1 25 on the firewall, an SMTP session starts. If I 
telnet from outside (coming on eth0), it waits until timeout. I just 
can't figure out why it is not working. At last I removed all the IP 
aliases, and it didn't work that way either. There is nothing relevant 
in /var/log/syslog. I have 1 in /proc/sys/net/ipv4/ip_forward.

Please help. Thanks in advance.

Yours sincerely,
    Fülöp Balázs

Re: DNAT not working

[Grant Taylor]

Balazs Fulop wrote:
> # Generated by iptables-save v1.3.5 on Fri Dec 22 14:23:36 2006
> *nat
> :PREROUTING ACCEPT [58:10171]
> :POSTROUTING ACCEPT [13:1459]
> :OUTPUT ACCEPT [13:1459]
> -A PREROUTING -d aaa.bbb.ccc.fff -i eth0 -p tcp -m tcp --dport 25 -j 
> DNAT --to-destination 192.168.3.1
> -A PREROUTING -j LOG --log-prefix "PREROUTING: " --log-level 7
> COMMIT

<snip>

> If I telnet 192.168.3.1 25 on the firewall, an SMTP session starts. If I 
> telnet from outside (coming on eth0), it waits until timeout. I just 
> can't figure out why it is not working. At last I removed all the IP 
> aliases, and it didn't work that way either. There is nothing relevant 
> in /var/log/syslog. I have 1 in /proc/sys/net/ipv4/ip_forward.


It does not look like you are SNATing / MASQUERADing your traffic back 
out to the internet.



Grant. . . .

Re: DNAT not working

[Pascal Hambourg]

Hello,

Grant Taylor a écrit :
> Balazs Fulop wrote:
> 
>> If I telnet 192.168.3.1 25 on the firewall, an SMTP session starts. If 
>> I telnet from outside (coming on eth0), it waits until timeout.

I am not surprised that telnet to a private address from the outside 
fails. ;-)

> It does not look like you are SNATing / MASQUERADing your traffic back 
> out to the internet.

You do not need to SNAT/MASQUERADE return traffic. The NAT code does it 
implicitly. However, the target host must have a (default) route back to 
the outside via the NATing gateway.

Re: DNAT not working

[Balazs Fulop]

Hello,

> You do not need to SNAT/MASQUERADE return traffic. The NAT code does 
> it implicitly. However, the target host must have a (default) route 
> back to the outside via the NATing gateway.
>
The default gateway of the NATed machine was not the NATing gateway. The 
problem is now solved. Thank you very much.

Yours sincerely,
    Fülöp Balázs

DNAT not working

[Payal Rathod]

Hi,
My gateway server is Ubuntu 6.06.1 LTS, iptables v1.3.3.  By ifconfig I 
have added one more ip say 1.2.3.4 (eth0:1). iptables-save gives me the 
output at,
http://pastebin.ca/446625

# cat /proc/sys/net/ipv4/ip_forward
1


But when I connect to 1.2.3.4 port 25,  instead of redirecting me to 
10.10.200.2 it connects me to port 25 of the gateway machine. I am 
totally confused, can anyone help me out please?

With warm regards,
-Payal

Re: DNAT not working

[Martijn Lievaart]

Payal Rathod wrote:
> Hi,
> My gateway server is Ubuntu 6.06.1 LTS, iptables v1.3.3.  By ifconfig I 
> have added one more ip say 1.2.3.4 (eth0:1). iptables-save gives me the 
> output at,
> http://pastebin.ca/446625
>
> # cat /proc/sys/net/ipv4/ip_forward
> 1
>
>
> But when I connect to 1.2.3.4 port 25,  instead of redirecting me to 
> 10.10.200.2 it connects me to port 25 of the gateway machine. I am 
> totally confused, can anyone help me out please?
>   

Try -d 1.2.3.4 instead of -s.

HTH,
M4

Re: DNAT not working

[Payal Rathod]

On Wed, Apr 18, 2007 at 07:34:32PM +0200, Martijn Lievaart wrote:
> Payal Rathod wrote:
> >Hi,
> >My gateway server is Ubuntu 6.06.1 LTS, iptables v1.3.3.  By ifconfig I 
> >have added one more ip say 1.2.3.4 (eth0:1). iptables-save gives me the 
> >output at,
> >http://pastebin.ca/446625
> >
> Try -d 1.2.3.4 instead of -s.

But now it is timing out instead of connecting.
The new ruleset is at,

http://pastebin.ca/447539

Can someone tell what might be wrong?

With warm regards,
-Payal

Re: DNAT not working

[Gáspár Lajos]

Payal Rathod írta:
> On Wed, Apr 18, 2007 at 07:34:32PM +0200, Martijn Lievaart wrote:
>   
>> Payal Rathod wrote:
>>     
>>>       
...
>> Try -d 1.2.3.4 instead of -s.
>>     
>
> But now it is timing out instead of connecting.
> The new ruleset is at,
>
> http://pastebin.ca/447539
>
> Can someone tell what might be wrong?
>   
...

1. Your FORWARD policy is ACCEPT... You do not need the lines 14 and 15. 
(AFAIK: If the target IP is on your computer then it fill not be 
FORWARDed but will be sent to a LOCAL process.)
2. You did not wrote but I assume you have a dynamically assigned IP 
connection. (Line 22.) If it is true then I would specify in this line 
the output interface: "-A POSTROUTING -s 10.10.0.0/255.255.255.0 -o 
???ppp+??? -j MASQUERADE"
3. Line 23: ???? Why do you DNAT an outgoing connection back to you ??? 
Maybe you do not need that line at all...

Hope that helps.

 Swifty

Re: DNAT not working

[Payal Rathod]

On Thu, Apr 19, 2007 at 01:15:09PM +0200, G?sp?r Lajos wrote:
> 2. You did not wrote but I assume you have a dynamically assigned IP 
> connection. (Line 22.) If it is true then I would specify in this line 
> the output interface: "-A POSTROUTING -s 10.10.0.0/255.255.255.0 -o 
> ???ppp+??? -j MASQUERADE"

No it is a fixed ip.

> 3. Line 23: ???? Why do you DNAT an outgoing connection back to you 
> ???  Maybe you do not need that line at all...

I removed that - but still does not work.

Any ideas?

With warm regards,
-Payal

DNAT Not working

[Nicolas Ross]

Hi all !

I a have a fw box running RH 7.3.

Here's part of my nat table :

-A PREROUTING  -p tcp -m tcp -s 172.16.190.0/255.255.255.0 --dport 80 -j
REDIRECT --to-ports 8080
-A POSTROUTING -p tcp -m tcp -s 172.16.190.0/255.255.255.0 ! --dport 80 -o
eth0 -j SNAT --to-source 1.1.1.1
-A POSTROUTING -p udp -m udp -s 172.16.190.0/255.255.255.0 -o eth0 -j
SNAT --to-source 1.1.1.1
-A POSTROUTING -p icmp -m icmp -s 172.16.190.0/255.255.255.0 -o eth0 -j
SNAT --to-source 1.1.1.1

-A PREROUTING -p tcp -m tcp -i eth0 -d 1.1.2.1 --dport 80 -j
DNAT --to-destination 172.16.190.5
-A PREROUTING -p tcp -m tcp -i eth0 -d 1.1.2.1 --dport 9287 -j
DNAT --to-destination 172.16.190.5
-A PREROUTING -i eth0 -d 1.1.2.2 -j DNAT --to-destination 172.16.190.7
-A PREROUTING -p tcp -m tcp -i eth0 -d 1.1.2.3 --dport 5003 -j
DNAT --to-destination 172.16.190.143


Part of my filer table :

-A FORWARD -i eth0 -o eth2 -p tcp -m tcp -d 172.16.190.5 --dport 80 -j
ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp -d 172.16.190.5 --dport 9287 -j
ACCEPT
-A FORWARD -i eth0 -o eth2 -d 172.16.190.7 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -p tcp -m tcp -d 172.16.190.143 --dport 5003 -j
ACCEPT

There are other things in it, and my last FORWARD line is a LOG one.

1.1.1.1 (fake ip) is the ext. ip of the box (eth0)
1.1.2.x are ips routed by the box.
172.16.190.x are internal ips (eth1)


DNAT to 172.16.190.5, port 80 works fine.
DNAT to 172.16.190.143, port 5003 is not.

In /proc/net/ip_conntrack, I see :

tcp      6 118 SYN_SENT src=x.x.x.x dst=x.x.x.x sport=49502 dport=5003
[UNREPLIED] src=172.16.190.143 dst=x.x.x.x sport=5003 dport=49502 use=1

With iptables -nvL, I see packet counter rising for the 2 rules concerning
port 5003

On the 172.16.190.143 box, wich is a mac os x box, with netstat -an | grep
5003, I see :

tcp4       0      0  172.16.190.143.5003    x.x.x.x.62382          SYN_RCVD
tcp4       0      0  172.16.190.143.5003    172.16.190.153.49342
ESTABLISHED
tcp4       0      0  127.0.0.1.5003         127.0.0.1.49184
ESTABLISHED
tcp4       0      0  127.0.0.1.49184        127.0.0.1.5003
ESTABLISHED
tcp4       0      0  *.5003                 *.*                    LISTEN

I see nothing being logued.

I tried removing port selection as in :

-A PREROUTING -i eth0 -d 1.1.2.3 -j DNAT --to-destination 172.16.190.143
-A FORWARD -i eth0 -o eth2 -d 172.16.190.143 -j ACCEPT

Still the same thing.

What am I missing ?

Re: DNAT Not working

[Antony Stone]

On Monday 12 July 2004 4:12 pm, Nicolas Ross wrote:

> DNAT to 172.16.190.5, port 80 works fine.
> DNAT to 172.16.190.143, port 5003 is not.
>
> In /proc/net/ip_conntrack, I see :
>
> tcp      6 118 SYN_SENT src=x.x.x.x dst=x.x.x.x sport=49502 dport=5003
> [UNREPLIED] src=172.16.190.143 dst=x.x.x.x sport=5003 dport=49502 use=1

Okay, so that means the firewall passed the SYN packet through from the client 
to the mac, but hasn't seen the SYN-ACK back from the mac to the client.

> With iptables -nvL, I see packet counter rising for the 2 rules concerning
> port 5003

That means packets are going through the firewall (one way, at least).

> On the 172.16.190.143 box, wich is a mac os x box, with netstat -an | grep
> 5003, I see :
>
> tcp4       0      0  172.16.190.143.5003    x.x.x.x.62382          SYN_RCVD

Okay, so it's received the SYN (and presumably tried to return the SYN-ACK)

> tcp4       0      0  172.16.190.143.5003    172.16.190.153.49342
> ESTABLISHED
> tcp4       0      0  127.0.0.1.5003         127.0.0.1.49184
> ESTABLISHED
> tcp4       0      0  127.0.0.1.49184        127.0.0.1.5003
> ESTABLISHED
> tcp4       0      0  *.5003                 *.*                    LISTEN

Yup, it's listening on TCP port 5003 alright :)

Does the mac have a default route to send reply packets back to the remote 
client through the firewall?

Try a packet sniffer (ethereal is good) on the link between the firewall and 
the mac, and see if you can see packets both ways (and look at the source & 
destination addresses).

Regards,

Antony.

-- 
"Reports that say that something hasn't happened are always interesting to me, 
because as we know, there are known knowns; there are things we know we know. 
We also know there are known unknowns; that is to say we know there are some 
things we do not know. But there are also unknown unknowns - the ones we 
don't know we don't know."

 - Donald Rumsfeld, US Secretary of Defence

                                                     Please reply to the list;
                                                           please don't CC me.

Re: DNAT Not working

[Nicolas Ross]

> On Monday 12 July 2004 4:12 pm, Nicolas Ross wrote:
>
> > DNAT to 172.16.190.5, port 80 works fine.
> > DNAT to 172.16.190.143, port 5003 is not.
> >
> > In /proc/net/ip_conntrack, I see :
> >
> > tcp      6 118 SYN_SENT src=x.x.x.x dst=x.x.x.x sport=49502 dport=5003
> > [UNREPLIED] src=172.16.190.143 dst=x.x.x.x sport=5003 dport=49502 use=1
>
> Okay, so that means the firewall passed the SYN packet through from the
client
> to the mac, but hasn't seen the SYN-ACK back from the mac to the client.
>
> > With iptables -nvL, I see packet counter rising for the 2 rules
concerning
> > port 5003
>
> That means packets are going through the firewall (one way, at least).
>
> > On the 172.16.190.143 box, wich is a mac os x box, with netstat -an |
grep
> > 5003, I see :
> >
> > tcp4       0      0  172.16.190.143.5003    x.x.x.x.62382
SYN_RCVD
>
> Okay, so it's received the SYN (and presumably tried to return the
SYN-ACK)
>
> > tcp4       0      0  172.16.190.143.5003    172.16.190.153.49342
> > ESTABLISHED
> > tcp4       0      0  127.0.0.1.5003         127.0.0.1.49184
> > ESTABLISHED
> > tcp4       0      0  127.0.0.1.49184        127.0.0.1.5003
> > ESTABLISHED
> > tcp4       0      0  *.5003                 *.*
LISTEN
>
> Yup, it's listening on TCP port 5003 alright :)
>
> Does the mac have a default route to send reply packets back to the remote
> client through the firewall?
>
> Try a packet sniffer (ethereal is good) on the link between the firewall
and
> the mac, and see if you can see packets both ways (and look at the source
&
> destination addresses).

Between the time I wrote my message, and now, I finally got my hand on it.

The probleme was that the default route on that host was not the RH
firewall, but another box wich connects with a vpn to another network at
another location, so the route back to the source host doesn't pass trough
the firewall, thus the problem...

Thanks anyway !

Nicolas

Re: DNAT Not working

[Antony Stone]

On Monday 12 July 2004 5:13 pm, Nicolas Ross wrote:

> On Monday 12 July 2004 4:59 pm, Antony Stone wrote:
>
> > Yup, it's listening on TCP port 5003 alright :)
> >
> > Does the mac have a default route to send reply packets back to the
> > remote client through the firewall?
>
> Between the time I wrote my message, and now, I finally got my hand on it.
>
> The probleme was that the default route on that host was not the RH
> firewall, but another box wich connects with a vpn to another network at
> another location, so the route back to the source host doesn't pass trough
> the firewall, thus the problem...

Here's one of my sigs, especially for you :)

Antony.

-- 
90% of networking problems are routing problems.
9 of the remaining 10% are routing problems in the other direction.
The remaining 1% might be something else, but check the routing anyway.

                                                     Please reply to the list;
                                                           please don't CC me.

DNAT not working

[Stuart Lamble]

[-- Attachment #1: Type: text/plain, Size: 728 bytes --]

Hello netfilter lists
 
Can any one help me here. I have the following rule...
 
iptables -t nat -A PREROUTING -i ppp0 -p tcp -d $FW-EXT-IP --dport 22 -j
DNAT --to 192.168.100.6:22
 
Simply put I want to allow ssh from the internet to a server on my LAN,
192.168.100.6
My FORWARD rule is default accept.
 
I understand that a packet comes into the firewall on an interface and
then gets PREROUTED as above the gets passed to FORWARD = accept then to
the destination???
 
Why is it not working? Do i need to do any special kernel, modprobe
things?
Thanks
Stu

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.631 / Virus Database: 404 - Release Date: 3/17/2004
 

[-- Attachment #2: Type: text/html, Size: 2244 bytes --]

Re: DNAT not working

[John A. Sullivan III]

On Thu, 2004-03-18 at 15:26, Stuart Lamble wrote:
> Hello netfilter lists
>  
> Can any one help me here. I have the following rule...
>  
> iptables -t nat -A PREROUTING -i ppp0 -p tcp -d $FW-EXT-IP --dport 22
> -j DNAT --to 192.168.100.6:22
>  
> Simply put I want to allow ssh from the internet to a server on my
> LAN, 192.168.100.6
> My FORWARD rule is default accept.
>  
> I understand that a packet comes into the firewall on an interface and
> then gets PREROUTED as above the gets passed to FORWARD = accept then
> to the destination???
>  
> Why is it not working? Do i need to do any special kernel, modprobe
> things?
<snip>
Perhaps you were just saving typing but isn't the correct syntax -j DNAT
--to-destination 192.168.100.6:22
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: DNAT not working

[Antony Stone]

On Thursday 18 March 2004 8:49 pm, John A. Sullivan III wrote:

> On Thu, 2004-03-18 at 15:26, Stuart Lamble wrote:
> > Hello netfilter lists
> >
> > Can any one help me here. I have the following rule...
> >
> > iptables -t nat -A PREROUTING -i ppp0 -p tcp -d $FW-EXT-IP --dport 22
> > -j DNAT --to 192.168.100.6:22
>
> Perhaps you were just saving typing but isn't the correct syntax -j DNAT
> --to-destination 192.168.100.6:22

Both are valid.

The DNAT target takes --to-destination or --to as its argument; similarly the 
SNAT target happily takes --to-source or --to as its argument.

Regards,

Antony.

-- 
What makes you think I know what I'm talking about?
I just have more O'Reilly books than most people.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: DNAT not working

[Antony Stone]

On Thursday 18 March 2004 8:26 pm, Stuart Lamble wrote:

> Hello netfilter lists

Hello Stuart.

> iptables -t nat -A PREROUTING -i ppp0 -p tcp -d $FW-EXT-IP --dport 22 -j
> DNAT --to 192.168.100.6:22
>
> Simply put I want to allow ssh from the internet to a server on my LAN,
> 192.168.100.6
> My FORWARD rule is default accept.

Ugh :(   I trust you are going to change that very soon :)

> I understand that a packet comes into the firewall on an interface and
> then gets PREROUTED as above the gets passed to FORWARD = accept then to
> the destination???

Yes, that is the correct mechanism.

> Why is it not working? Do i need to do any special kernel, modprobe
> things?

No, the above rule, combined with a (gulp) default ACCEPT policy on FORWARD, 
should do what you want.

I suggest the following:

1. Post the remainder of your ruleset so we can see what else may be having an 
effect.

2. Tell us how you are testing the rule.

3. Look at the output of "iptables -L -t nat -nvx" - do the packet & byte 
counters show that any packets are matching the above rule?

4. Put a LOGging rule in your FORWARD chain so you can see what packets appear 
to be going through the firewall (I suggest two rules, one for packets to TCP 
port 22, one for packets from TCP port 22, or alternatively two rules for 
packets to / from 192.168.100.6, so that you don't get so much logging output 
that you can't see what's going on).

5. Tell us about anything else which *does* work through your firewall (eg: 
can you browse the Internet from an internal client? can you send & receive 
email? can you resolve hostnames?)

Hope something here helps,

Antony.

-- 
Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

                                                     Please reply to the list;
                                                           please don't CC me.

RE: DNAT not working

[Stuart Lamble]

Hi Antony

Output from iptables -L -t nat
--------------------------------------------------------
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  anywhere             xxx.xxx.xxx.xxx dpt:msg-icp
to:192.168.100.6:29 

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
MASQUERADE  all  --  192.168.100.0/28     anywhere           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  
------------------------------------------------------------

Output of iptables -L
--------------------------------------------------------------
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere           
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:smtp

ACCEPT     udp  --  anywhere             anywhere           udp
spt:domain 
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:http

DROP       tcp  --  anywhere             anywhere           tcp dpt:ftp 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp

ACCEPT     tcp  --  anywhere             anywhere           tcp
dpt:msg-icp 
ACCEPT     tcp  --  anywhere             anywhere           tcp
multiport ports msg-icp 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http

ACCEPT     tcp  --  anywhere             anywhere           tcp
dpt:https 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ndmp

ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere           tcp
multiport ports msg-icp 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

---------------------------------------------------------------

The port in question is 29, ssh modified for 29 as the gateway with the
dsl connected has ssh running on port 22, so makes sense to use another
port, else I would always get the gateway ssh responding.

Note that I am using webmin firewall to configure the iptables.

I do get the counters incrementing on the prerouting rule.
From the gateway machine I am able to ssh -p 29 192.168.100.6
The gateway machine has two network cards, internal eth 1 =
192.168.100.1 and external eth0 = $IP.
The virtual ppp0 comes up with the Public IP.

Thanks Stuart







-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: Thursday, March 18, 2004 10:51 PM
To: netfilter@lists.netfilter.org
Subject: Re: DNAT not working


On Thursday 18 March 2004 8:26 pm, Stuart Lamble wrote:

> Hello netfilter lists

Hello Stuart.

> iptables -t nat -A PREROUTING -i ppp0 -p tcp -d $FW-EXT-IP --dport 22 
> -j DNAT --to 192.168.100.6:22
>
> Simply put I want to allow ssh from the internet to a server on my 
> LAN, 192.168.100.6 My FORWARD rule is default accept.

Ugh :(   I trust you are going to change that very soon :)

> I understand that a packet comes into the firewall on an interface and

> then gets PREROUTED as above the gets passed to FORWARD = accept then 
> to the destination???

Yes, that is the correct mechanism.

> Why is it not working? Do i need to do any special kernel, modprobe 
> things?

No, the above rule, combined with a (gulp) default ACCEPT policy on
FORWARD, 
should do what you want.

I suggest the following:

1. Post the remainder of your ruleset so we can see what else may be
having an 
effect.

2. Tell us how you are testing the rule.

3. Look at the output of "iptables -L -t nat -nvx" - do the packet &
byte 
counters show that any packets are matching the above rule?

4. Put a LOGging rule in your FORWARD chain so you can see what packets
appear 
to be going through the firewall (I suggest two rules, one for packets
to TCP 
port 22, one for packets from TCP port 22, or alternatively two rules
for 
packets to / from 192.168.100.6, so that you don't get so much logging
output 
that you can't see what's going on).

5. Tell us about anything else which *does* work through your firewall
(eg: 
can you browse the Internet from an internal client? can you send &
receive 
email? can you resolve hostnames?)

Hope something here helps,

Antony.

-- 
Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

                                                     Please reply to the
list;
                                                           please don't
CC me.



---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.631 / Virus Database: 404 - Release Date: 3/17/2004
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.634 / Virus Database: 406 - Release Date: 3/18/2004
 

DNAT NOT WORKING

[madhav bhasin]

Hi,

	I installed latest vesion of iptables and pom from
www.netfilter.org . They were installed and kernel was
compiled sucessfully. all modules are loading
properly. I just added three rules in nat table
prerouting chain .and i am getting same error
iptables: Invalid argument 3 times. 
rules are as follows

$IT -t nat -A PREROUTING -p TCP -i $INET_IFACE -d
&INET_HTTP  --dport 80 -j DNAT --to $DMZ_HTTP 

$IT -t nat -A PREROUTING -p TCP -i $INET_IFACE -d
&INET_DNS  --dport 53 -j DNAT --to-destinaion $DMZ_DNS
$IT -t nat -A PREROUTING -p UDP -i $INET_IFACE -d
&INET_DNS  --dport 53 -j DNAT --to-destinaion $DMZ_DNS

KERNELVERSION -> 2.4.20-8
IPTABLES -> 1.2.9 "I DOWNLOADED BUT AFTER COMPILING IT
SHOWS IPTABLES-1.2.7a"
PATCH-O-MATIC ->20030912

Please try to help me. I'll be really thank full to
you
Madhav


__________________________________
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/

Re: DNAT NOT WORKING

[Antony Stone]

On Wednesday 24 December 2003 10:24 am, madhav bhasin wrote:

> Hi,
>
> 	I installed latest vesion of iptables and pom from
> www.netfilter.org . They were installed and kernel was
> compiled sucessfully. all modules are loading
> properly. I just added three rules in nat table
> prerouting chain .and i am getting same error
> iptables: Invalid argument 3 times.
> rules are as follows
>
> $IT -t nat -A PREROUTING -p TCP -i $INET_IFACE -d
> &INET_HTTP  --dport 80 -j DNAT --to $DMZ_HTTP
>
> $IT -t nat -A PREROUTING -p TCP -i $INET_IFACE -d
> &INET_DNS  --dport 53 -j DNAT --to-destinaion $DMZ_DNS
> $IT -t nat -A PREROUTING -p UDP -i $INET_IFACE -d
> &INET_DNS  --dport 53 -j DNAT --to-destinaion $DMZ_DNS

Try changing & to $ in the above rules :)

Antony.

-- 
In Heaven, the police are British, the chefs are Italian, the beer is Belgian, 
the mechanics are German, the lovers are French, the entertainment is 
American, and everything is organised by the Swiss.

In Hell, the police are German, the chefs are British, the beer is American, 
the mechanics are French, the lovers are Swiss, the entertainment is Belgian, 
and everything is organised by the Italians.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: DNAT NOT WORKING

[Thomas Scheffczyk]

[-- Attachment #1: Type: text/plain, Size: 326 bytes --]

madhav bhasin wrote:

 > $IT -t nat -A PREROUTING -p TCP -i $INET_IFACE -d
 > &INET_DNS  --dport 53 -j DNAT --to-destinaion $DMZ_DNS
 > $IT -t nat -A PREROUTING -p UDP -i $INET_IFACE -d
 > &INET_DNS  --dport 53 -j DNAT --to-destinaion $DMZ_DNS

IMHO it should be '--to-destination' instead of '--to-destinaion'.


F&G

Thomas

[-- Attachment #2: Type: application/pgp-signature, Size: 254 bytes --]