DNAT-Problem

DNAT-Problem

[Tom Fischer]

Hi,

i have a problem with DNAT. We have to move some services for a few days
on another machine. So we want do DNAT on incoming Packets. I set

iptables -A PREROUTING -t nat -s 0/0 -d xxx.xxx.xxx.xxx -p tcp --dport
9000-j DNAT --to xxx.xxx.xxx.xxx

Should be enough on this box in my opinion. So i can see the Packet
incoming on the old machine, and i can see the Packet with my Source IP
and the new destination IP, but i think the packet never leaves the old
machine. tcpdump looks like this

[root@server4 mysql]# tcpdump -n port 9000
tcpdump: listening on eth0
04:02:04.746105 217.232.189.4.65423 > oldmachine.9000: S
740515023:740515023(0) win 5840 <mss 1452,sackOK,timestamp 66069311
0,nop,wscale 7> (DF) [tos 0x70] 
04:02:04.746151 217.232.189.4.65423 > newmachine.70.9000: S
740515023:740515023(0) win 5840 <mss 1452,sackOK,timestamp 66069311
0,nop,wscale 7> (DF) [tos 0x70] 
04:02:07.744772 217.232.189.4.65423 > oldmachine.9000: S
740515023:740515023(0) win 5840 <mss 1452,sackOK,timestamp 66072311
0,nop,wscale 7> (DF) [tos 0x70] 
04:02:07.744806 217.232.189.4.65423 > newmachine.9000: S
740515023:740515023(0) win 5840 <mss 1452,sackOK,timestamp 66072311
0,nop,wscale 7> (DF) [tos 0x70] 

The packet never arivves on the new machine. What am I missing?

Kernel is 2.4.27, the box seems to be Fedora Core 2 and iptables is
Version 1.2.7a.

Anybody can help me out?

Tom 

Re: DNAT-Problem

[Jason Opperisano]

On Wed, 2004-09-08 at 22:10, Tom Fischer wrote:
> Hi,
> 
> i have a problem with DNAT. We have to move some services for a few days
> on another machine. So we want do DNAT on incoming Packets. I set
> 
> iptables -A PREROUTING -t nat -s 0/0 -d xxx.xxx.xxx.xxx -p tcp --dport
> 9000-j DNAT --to xxx.xxx.xxx.xxx

since you didn't provide your rules, i'm gonna haveta ask a really
stupid question...

did you execute that command with the old DNAT rule in place?  if
so--the new rule got appended to the end of the PREROUTING chain of the
nat table, after the old rule; therefore, will never get matched.

it would be helpful for us list-types to see the output of:

        iptables -t nat -vnL
        
another thought--NAT happens first (PREROUTING), then filter rules.  you
will need to edit your filter rule to allow traffic to "newserver's"
actual IP instead of "oldserver's" actual IP.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: DNAT-Problem

[Tom Fischer]

On Wed, 08 Sep 2004 22:26:44 -0400
Jason Opperisano <opie@817west.com> wrote:

> On Wed, 2004-09-08 at 22:10, Tom Fischer wrote:
> > Hi,
> > 
> > i have a problem with DNAT. We have to move some services for a few
> > days on another machine. So we want do DNAT on incoming Packets. I
> > set
> > 
> > iptables -A PREROUTING -t nat -s 0/0 -d xxx.xxx.xxx.xxx -p tcp
> > --dport 9000-j DNAT --to xxx.xxx.xxx.xxx
> 
> since you didn't provide your rules, i'm gonna haveta ask a really
> stupid question...
> 
> did you execute that command with the old DNAT rule in place?  if
> so--the new rule got appended to the end of the PREROUTING chain of
> the nat table, after the old rule; therefore, will never get matched.
> 
> it would be helpful for us list-types to see the output of:
> 
>         iptables -t nat -vnL

This is the only rule.

[root@server4 root]# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 645K packets, 35M bytes)
 pkts bytes target     prot opt in     out     source              
destination             2   120 DNAT       tcp  --  *      *      
0.0.0.0/0            oldmachine       tcp dpt:9000 to:newmachine

Chain POSTROUTING (policy ACCEPT 62473 packets, 3966K bytes)
 pkts bytes target     prot opt in     out     source              
destination         

Chain OUTPUT (policy ACCEPT 62441 packets, 3964K bytes)
 pkts bytes target     prot opt in     out     source              
destination         

>         
> another thought--NAT happens first (PREROUTING), then filter rules. 
> you will need to edit your filter rule to allow traffic to
> "newserver's" actual IP instead of "oldserver's" actual IP.
> 

There are no Filterrules installed at the moment.

Tom

Re: DNAT-Problem

[Jason Opperisano]

On Thu, 2004-09-09 at 06:29, Tom Fischer wrote:
> This is the only rule.
> 
> [root@server4 root]# iptables -t nat -vnL
> Chain PREROUTING (policy ACCEPT 645K packets, 35M bytes)
>  pkts bytes target     prot opt in     out     source              
> destination             2   120 DNAT       tcp  --  *      *      
> 0.0.0.0/0            oldmachine       tcp dpt:9000 to:newmachine
> 
> Chain POSTROUTING (policy ACCEPT 62473 packets, 3966K bytes)
>  pkts bytes target     prot opt in     out     source              
> destination         
> 
> Chain OUTPUT (policy ACCEPT 62441 packets, 3964K bytes)
>  pkts bytes target     prot opt in     out     source              
> destination         
> 
> >         
> > another thought--NAT happens first (PREROUTING), then filter rules. 
> > you will need to edit your filter rule to allow traffic to
> > "newserver's" actual IP instead of "oldserver's" actual IP.
> > 
> 
> There are no Filterrules installed at the moment.
> 
> Tom

what are the IP addresses of $oldmachine and $newmachine (obfuscate the
first two octets if you must)?

are you trying to DNAT from one machine on the local network to another
machine on the local network?  what network is the client traffic
sourcing from?  is it the same network?

-j

-- 
Jason Opperisano <opie@817west.com>

Re: DNAT-Problem

[Tom Fischer]

On Thu, 09 Sep 2004 07:38:26 -0400
Jason Opperisano <opie@817west.com> wrote:

> what are the IP addresses of $oldmachine and $newmachine (obfuscate
> the first two octets if you must)?

$oldmachine=81.16.97
$newmachine=80.190.140

There are a few IP-Adresse which i have to transfer to the newmachine.

> are you trying to DNAT from one machine on the local network to
> another machine on the local network?  what network is the client
> traffic sourcing from?  is it the same network?

No, they are on different locations. The old one is in Innsbruck,
Austria and the new one in Munich, Germany.

Tom

Re: DNAT-Problem

[Jason Opperisano]

On Thu, 2004-09-09 at 07:58, Tom Fischer wrote:
> On Thu, 09 Sep 2004 07:38:26 -0400
> Jason Opperisano <opie@817west.com> wrote:
> 
> > what are the IP addresses of $oldmachine and $newmachine (obfuscate
> > the first two octets if you must)?
> 
> $oldmachine=81.16.97
> $newmachine=80.190.140
> 
> There are a few IP-Adresse which i have to transfer to the newmachine.
> 
> > are you trying to DNAT from one machine on the local network to
> > another machine on the local network?  what network is the client
> > traffic sourcing from?  is it the same network?
> 
> No, they are on different locations. The old one is in Innsbruck,
> Austria and the new one in Munich, Germany.

for what it's worth--it sounds like your problem has much more to do
with routing than with iptables firewalling.

i think i may have misunderstood your original post.  are you running
iptables and the DNAT rule on $oldmachine?  if so, unless the reply
packets from $newmachine are routed back through $oldmachine; this setup
won't work (for what should be painfully obvious reasons).

if your DNAT rule is on a gateway machine upstream from both $oldmachine
and $newmachine--i'd say you have a routing failure somewhere in the
chain.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: DNAT-Problem

[Tom Fischer]

On Thu, 09 Sep 2004 09:26:54 -0400
Jason Opperisano <opie@817west.com> wrote:

> On Thu, 2004-09-09 at 07:58, Tom Fischer wrote:
> > On Thu, 09 Sep 2004 07:38:26 -0400
> > Jason Opperisano <opie@817west.com> wrote:
> > 
> > > what are the IP addresses of $oldmachine and $newmachine
> > > (obfuscate the first two octets if you must)?
> > 
> > $oldmachine=81.16.97
> > $newmachine=80.190.140
> > 
> > There are a few IP-Adresse which i have to transfer to the
> > newmachine.
> > 
> > > are you trying to DNAT from one machine on the local network to
> > > another machine on the local network?  what network is the client
> > > traffic sourcing from?  is it the same network?
> > 
> > No, they are on different locations. The old one is in Innsbruck,
> > Austria and the new one in Munich, Germany.
> 
> for what it's worth--it sounds like your problem has much more to do
> with routing than with iptables firewalling.
> 
> i think i may have misunderstood your original post.  are you running
> iptables and the DNAT rule on $oldmachine?  if so, unless the reply
> packets from $newmachine are routed back through $oldmachine; this
> setup won't work (for what should be painfully obvious reasons).

Ok, i see the Problem. Is it possible to mark this packet and route it
based on the mark? I think i build a similar setup few weeks ago where i
have to route and nat packets which came in on eone vpn and should go
out on the other vpn.

> if your DNAT rule is on a gateway machine upstream from both
> $oldmachine and $newmachine--i'd say you have a routing failure
> somewhere in the chain.

No, unfortunately it is not. I will try to mark the packets.

Thx for help

Tom

Re: DNAT-Problem

[Abdul-Wahid Paterson]

Are you sure that you are not dropping the packet in another
table/chain. Perhaps do something like

watch -n 1 iptables -L -n -v

so that you can see the packet count when you test to see if the
packet rule is being accepted or dropped somewhere.

Abdul-Wahid


On Thu, 9 Sep 2004 04:10:47 +0200, Tom Fischer <tom.fischer@ebuz.de> wrote:
> Hi,
> 
> i have a problem with DNAT. We have to move some services for a few days
> on another machine. So we want do DNAT on incoming Packets. I set
> 
> iptables -A PREROUTING -t nat -s 0/0 -d xxx.xxx.xxx.xxx -p tcp --dport
> 9000-j DNAT --to xxx.xxx.xxx.xxx
> 
> Should be enough on this box in my opinion. So i can see the Packet
> incoming on the old machine, and i can see the Packet with my Source IP
> and the new destination IP, but i think the packet never leaves the old
> machine. tcpdump looks like this
> 
> [root@server4 mysql]# tcpdump -n port 9000
> tcpdump: listening on eth0
> 04:02:04.746105 217.232.189.4.65423 > oldmachine.9000: S
> 740515023:740515023(0) win 5840 <mss 1452,sackOK,timestamp 66069311
> 0,nop,wscale 7> (DF) [tos 0x70]
> 04:02:04.746151 217.232.189.4.65423 > newmachine.70.9000: S
> 740515023:740515023(0) win 5840 <mss 1452,sackOK,timestamp 66069311
> 0,nop,wscale 7> (DF) [tos 0x70]
> 04:02:07.744772 217.232.189.4.65423 > oldmachine.9000: S
> 740515023:740515023(0) win 5840 <mss 1452,sackOK,timestamp 66072311
> 0,nop,wscale 7> (DF) [tos 0x70]
> 04:02:07.744806 217.232.189.4.65423 > newmachine.9000: S
> 740515023:740515023(0) win 5840 <mss 1452,sackOK,timestamp 66072311
> 0,nop,wscale 7> (DF) [tos 0x70]
> 
> The packet never arivves on the new machine. What am I missing?
> 
> Kernel is 2.4.27, the box seems to be Fedora Core 2 and iptables is
> Version 1.2.7a.
> 
> Anybody can help me out?
> 
> Tom
> 
>

DNAT-PROBLEM

[persaie persaie]

MY NETWORK SETUP IS ......
                                                      
                                          
192.168.1.0/24 -->>--
192.168.1.64-(eth1)-----router------(eth0)-192.168.5.55---((--192.168.5.0/24
                                          
----------------------

WHEN I TRY TO DO DNAT – I AM UNABLES TO IT .......

http server is running properly at 192.168.5.50 , and
listening at port 80, and there are no 
firewall rules in machine 192.168.5.50, and policies
are ACCEPT.


			      ------------------------
	
IP-forwarding is enabled on ROUTER machine.           
            
                 
RULES IN MY ROUTER ARE AS FOLLOWS ......

 # Generated by iptables-save v1.2.8 on Sun May  2
15:26:18 2004
*nat
:PREROUTING ACCEPT [1543:280620]
:POSTROUTING ACCEPT [116:27287]
:OUTPUT ACCEPT [19:1310]
-A PREROUTING -d 192.168.1.64 -i eth1 -p tcp -m tcp
--dport 80 -j LOG --log-prefix "http-req-at-prerout"
-A PREROUTING -d 192.168.1.64 -i eth1 -p tcp -m tcp
--dport 80 -j DNAT --to-destination 192.168.5.50
COMMIT
# Completed on Sun May  2 15:26:18 2004
# Generated by iptables-save v1.2.8 on Sun May  2
15:26:18 2004
*filter
:INPUT ACCEPT [12830:1222977]
:FORWARD ACCEPT [5058:1326927]
:OUTPUT ACCEPT [3815:292159]
-A FORWARD -d 192.168.5.50 -p tcp -m tcp --dport 80 -j
LOG --log-prefix "going to 5.50..:"
-A FORWARD -s 192.168.5.50 -p tcp -j LOG --log-prefix
"coming from 5.50..:"
COMMIT
# Completed on Sun May  2 15:26:18 2004               
    
             		------------------------------  

From 192.168.1.252 if i try to access
http://192.168.1.64 then i get these messages in my
router ..                                        
MESSAGES IN /VAR/LOG/MESSAGES ARE AS FOLLOWS....

                                                      
  May  2 15:25:02 fw kernel:
http-req-at-preroutIN=eth1 OUT=
MAC=00:05:5d:4b:6c:22:00:07:95:d2:0f:3f:08:00
SRC=192.168.1.252 DST=192.168.1.64 LEN=60 TOS=0x00
PREC=0x00 TTL=64 ID=37467 DF PROTO=TCP SPT=32935
DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
May  2 15:25:02 fw kernel: going to 5.50..:IN=eth1
OUT=eth0 SRC=192.168.1.252 DST=192.168.5.50 LEN=60
TOS=0x00 PREC=0x00 TTL=63 ID=37467 DF PROTO=TCP
SPT=32935 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
May  2 15:25:05 fw kernel: going to 5.50..:IN=eth1
OUT=eth0 SRC=192.168.1.252 DST=192.168.5.50 LEN=60
TOS=0x00 PREC=0x00 TTL=63 ID=37468 DF PROTO=TCP
SPT=32935 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
May  2 15:25:11 fw kernel: going to 5.50..:IN=eth1
OUT=eth0 SRC=192.168.1.252 DST=192.168.5.50 LEN=60
TOS=0x00 PREC=0x00 TTL=63 ID=37469 DF PROTO=TCP
SPT=32935 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
May  2 15:25:23 fw kernel: going to 5.50..:IN=eth1
OUT=eth0 SRC=192.168.1.252 DST=192.168.5.50 LEN=60
TOS=0x00 PREC=0x00 TTL=63 ID=37470 DF PROTO=TCP
SPT=32935 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
May  2 15:25:47 fw kernel: going to 5.50..:IN=eth1
OUT=eth0 SRC=192.168.1.252 DST=192.168.5.50 LEN=60
TOS=0x00 PREC=0x00 TTL=63 ID=37471 DF PROTO=TCP
SPT=32935 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
May  2 15:26:35 fw kernel: going to 5.50..:IN=eth1
OUT=eth0 SRC=192.168.1.252 DST=192.168.5.50 LEN=60
TOS=0x00 PREC=0x00 TTL=63 ID=37472 DF PROTO=TCP
SPT=32935 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
                                                      
                                          
I am new to iptables , please help me solve this
problem.

Thanks in advance,
regards,
Rohit


	
		
__________________________________
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs  
http://hotjobs.sweepstakes.yahoo.com/careermakeover 

Re: DNAT-PROBLEM

[Antony Stone]

On Sunday 02 May 2004 11:20 am, persaie persaie wrote:

> MY NETWORK SETUP IS ......
>
>
> 192.168.1.0/24 -->>--
> 192.168.1.64-(eth1)-----router------(eth0)-192.168.5.55---((--192.168.5.0/24

What is the routing table on the web server at 192.168.5.50?

Does it know how to send packets back to 192.168.1.252?

Antony.

-- 
"The problem with television is that the people must sit and keep their eyes 
glued on a screen; the average American family hasn't time for it."

 - New York Times, following a demonstration at the 1939 World's Fair.

                                                     Please reply to the list;
                                                           please don't CC me.