From: Mart Frauenlob <mart.frauenlob@chello.at>
Cc: netfilter@vger.kernel.org, patrick.chemla@perfaction.net
Subject: Re: I can't make forwarding
Date: Tue, 16 Feb 2010 16:38:21 +0100 [thread overview]
Message-ID: <4B7ABBED.1020404@chello.at> (raw)
In-Reply-To: <4B7A7F39.5090808@perfaction.net>
On 16.02.2010 12:34, netfilter-owner@vger.kernel.org wrote:
> Hi,
>
> I have problems to setup a NAT router using iptables.
>
> My NAT Router is running Fedora 11.
>
> I have 2 interfaces, eth0 10.0.0.1 is internal, eth1 172.25.2.2 is
> external.
>
> I have 10 external public addresses coming to the interface eth1 that I
> want to forward to 10 internal computers on eth0.
>
> When I try to ping or access an external web server from the NAT server
> itself, it works very fine. I see on the remote server the external
> address of the NAT router itself.
> When I try to ping or wget an external web server from an internal
> 10.0.0.151 computer, using TCPDUMP both on the foreign server interface
> and on the eth1 of the NAT router, I see that packets reach the
> external server with the right IP 192.114.84.144, I see that the
> external server send back something, but I can't get it back on the eth1
> tcpdump.
>
> Here is my iptables:
> ============
> iptables -n -L -v
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 1664 208K ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
> 0 0 ACCEPT icmp -- * *
> 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT all -- lo *
> 0.0.0.0/0 0.0.0.0/0
> 0 0 ACCEPT tcp -- * *
> 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
>
> Chain FORWARD (policy ACCEPT 3499 packets, 213K bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- eth0 eth1
> 10.0.0.151 192.114.84.144 state NEW,RELATED,ESTABLISHED
> 0 0 ACCEPT all -- eth1 eth0
> 192.114.84.144 10.0.0.151 state NEW,RELATED,ESTABLISHED
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 466 71467 ACCEPT all -- * * 0.0.0.0/0
> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
> 0 0 ACCEPT icmp -- * *
> 0.0.0.0/0 0.0.0.0/0
Why have all the ACCEPT rules, if the policy of all chains is ACCEPT?
Use at least a DROP policy in INPUT and FORWARD chain.
EXT_IF=eth1
INT_IF=eth0
INT_IP01=10.0.0.151
iptables -A FORWARD -o $INT_IF -d $INT_IP01 -m state ... -p ... -j ACCEPT
iptables -A FORWARD -i $INT_IF -s $INT_IP ... -j ACCEPT
>
> Here is my NAT table:
> =============
> iptables -n -t nat -L -v
> Chain PREROUTING (policy ACCEPT 915 packets, 129K bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DNAT tcp -- eth1 *
> 192.114.84.144 0.0.0.0/0 to:10.0.0.151
>
> Chain POSTROUTING (policy ACCEPT 75 packets, 6372 bytes)
> pkts bytes target prot opt in out source
> destination
> 16 960 SNAT all -- * eth1
> 10.0.0.151 0.0.0.0/0 to:192.114.84.144
>
> Chain OUTPUT (policy ACCEPT 36 packets, 3998 bytes)
> pkts bytes target prot opt in out source
> destination
>
>
> I think I ACCEPT and FORWARD all, I have both SNAT and DNAT, but I
> missed something.
>
> Help will be welcome.
>
> Patrick
ok, lets work this out:
goal 1: I want a request coming from the internet - towards a specific
ip of the external interface of the gateway, to be redirected to a
certain ip inside my internal network.
EXT_IF=eth1
EXT_IP01=192.114.84.144
INT_IP01=10.0.0.151
iptables -t nat -A PREROUTING -i $EXT_IF -d $EXT_IP01 -j DNAT
--to-destination $INT_IP01
This will map external request to the internal server, traffic coming
back will re-translated by itself.
Repeat for every external/internal IP pair...
goal 2: All traffic originating from a certain internal ip - should
leave the external interface with a certain ip.
iptables -t nat -A POSTROUTING -o $EXT_IF -s $INT_IP01 -j SNAT
--to-source $EXT_IP01
Repeat for every internal/external IP pair...
Writing all those stuff in the nat table, one might prefer assigning the
external IPs to the servers and route the traffic through.
Best regards
Mart
next prev parent reply other threads:[~2010-02-16 15:38 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-16 11:19 I can't make forwarding Patrick Chemla
2010-02-16 14:05 ` Patrick Chemla
2010-02-16 15:38 ` Mart Frauenlob [this message]
2010-03-03 8:36 ` Multiple IPs to 2 interfaces problem with default route Patrick Chemla
2010-03-04 2:19 ` Sven-Haegar Koch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4B7ABBED.1020404@chello.at \
--to=mart.frauenlob@chello.at \
--cc=netfilter@vger.kernel.org \
--cc=patrick.chemla@perfaction.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.