IP redirect?

IP redirect?

[Morgan Read]

Hi Folks

To redirect lan traffic addressed to the wan IP (e.g.) 123.456.789.012
to the lan IP address 192.168.1.123, I'm using the following:
$ iptables -t nat -I PREROUTING 1 -d 123.456.789.012 -j DNAT
--to-destination 192.168.1.123

But, all internal traffic seems to get lost - 18 months ago when I last
did this, traffic to 123.456.789.012 seemed to hit 192.168.1.123 and
come back without problem.

I've added the following, with some interesting results:
$ iptables -t nat -I POSTROUTING 1 -s 192.168.1.40 -j SNAT --to-source
58.28.20.69

Now, the traffic from the specific lan IP 192.168.1.123 does seem to be
redirected correctly and come back to itself.  But still, all other lan
traffic seems to get lost.

Any ideas what's happening, where I'm getting lost?

Regards,
Morgan.
-- 
Getting errors: "There are problems with the signature" (or similar)?
Update your system by installing certificates from CAcert Inc, see here:
http://wiki.cacert.org/wiki/BrowserClients?#head-259758ec5ba51c5205cfb179cf60e0b54d9e378b
Or, if Internet Explorer is your default browser, simply click this link:
http://www.cacert.org/index.php?id=17

Morgan Read
NEW ZEALAND
<mailto:mstuffATreadDOTorgDOTnz>

fedora & freedom; fact || fiction?
http://fedoraproject.org/wiki/Overview
get freed-ora!
http://www.fsfla.org/svnwiki/selibre/linux-libre/freed-ora

Re: IP redirect?

[Grant Taylor]

On 10/20/08 04:34, Morgan Read wrote:
> To redirect lan traffic addressed to the wan IP (e.g.) 123.456.789.012 
> to the lan IP address 192.168.1.123, I'm using the following:
> $ iptables -t nat -I PREROUTING 1 -d 123.456.789.012 -j DNAT 
> --to-destination 192.168.1.123
> 
> But, all internal traffic seems to get lost - 18 months ago when I last 
> did this, traffic to 123.456.789.012 seemed to hit 192.168.1.123 and 
> come back without problem.

Please search the mailing list archives for the "TCP Triangle".  The 
most recent thread was "routing all HTTP requests to my own web server". 
  Also, take a look at one of Julian's images 
"http://jengelh.hopto.org/images/dnat-mistake.png" for more information.

> I've added the following, with some interesting results:
> $ iptables -t nat -I POSTROUTING 1 -s 192.168.1.40 -j SNAT --to-source 
> 58.28.20.69

*nod*

> Now, the traffic from the specific lan IP 192.168.1.123 does seem to be 
> redirected correctly and come back to itself.  But still, all other lan 
> traffic seems to get lost.

This is as I would expect.

> Any ideas what's happening, where I'm getting lost?

You are only SNATing traffic from (-s) 192.168.1.40.  Try SNATing all 
traffic from your local LAN that is being redirected to your system.

$ iptables -t nat -I POSTROUTING 1 -s 192.168.1.0/24 -d 192.168.1.123 -j 
SNAT --to-source 58.28.20.69

Note:  I'm not sure why you are using a source of 58.28.20.69.  I would 
think that you would want to use the source of your internal interface 
in the 192.168.1.0/24 network.



Grant. . . .

Re: IP redirect?

[Morgan Read]

Below:

On 21/10/08 05:23, Grant Taylor wrote:
> On 10/20/08 04:34, Morgan Read wrote:
>> To redirect lan traffic addressed to the wan IP (e.g.) 123.456.789.012
>> to the lan IP address 192.168.1.123, I'm using the following:
>> $ iptables -t nat -I PREROUTING 1 -d 123.456.789.012 -j DNAT
>> --to-destination 192.168.1.123
>>
>> But, all internal traffic seems to get lost - 18 months ago when I
>> last did this, traffic to 123.456.789.012 seemed to hit 192.168.1.123
>> and come back without problem.
> 
> Please search the mailing list archives for the "TCP Triangle".  The
> most recent thread was "routing all HTTP requests to my own web server".
>  Also, take a look at one of Julian's images
> "http://jengelh.hopto.org/images/dnat-mistake.png" for more information.

OK, thank you

> 
>> I've added the following, with some interesting results:
>> $ iptables -t nat -I POSTROUTING 1 -s 192.168.1.40 -j SNAT --to-source
>> 58.28.20.69
> 
> *nod*
> 
>> Now, the traffic from the specific lan IP 192.168.1.123 does seem to
>> be redirected correctly and come back to itself.  But still, all other
>> lan traffic seems to get lost.
> 
> This is as I would expect.
> 
>> Any ideas what's happening, where I'm getting lost?
> 
> You are only SNATing traffic from (-s) 192.168.1.40.  Try SNATing all
> traffic from your local LAN that is being redirected to your system.
> 
> $ iptables -t nat -I POSTROUTING 1 -s 192.168.1.0/24 -d 192.168.1.123 -j
> SNAT --to-source 58.28.20.69

Thank you, it works - any ideas why why the DNAT worked on it's own with
out the SNAT 18 months ago?  Or is that a silly question...

Many thanks,
M.
-- 
Getting errors: "There are problems with the signature" (or similar)?
Update your system by installing certificates from CAcert Inc, see here:
http://wiki.cacert.org/wiki/BrowserClients?#head-259758ec5ba51c5205cfb179cf60e0b54d9e378b
Or, if Internet Explorer is your default browser, simply click this link:
http://www.cacert.org/index.php?id=17

Morgan Read
NEW ZEALAND
<mailto:mstuffATreadDOTorgDOTnz>

fedora & freedom; fact || fiction?
http://fedoraproject.org/wiki/Overview
get freed-ora!
http://www.fsfla.org/svnwiki/selibre/linux-libre/freed-ora

Re: IP redirect?

[Grant Taylor]

On 10/23/08 04:51, Morgan Read wrote:
> OK, thank you

You are welcome.

> Thank you, it works - any ideas why why the DNAT worked on it's own 
> with out the SNAT 18 months ago?  Or is that a silly question...

No.  I see no reason that it would have worked before at all.  The only 
thing that I can think of is that you were not DNATing with in the same 
subnet such that your traffic was routed back through the router where 
it would unDNAT it any way, much like MASQUERADing / SNAT does out to 
the internet (remember that MASQUERADing / SNATing is only so that 
systems on the net have a route back to your client).

> Many thanks,

*nod*



Grant. . . .