NATting again

NATting again

[Payal Rathod]

Hi,
A simple quesiton. I want to nat few ports from my Linux server to
windows machine.
I have a seperate IP for it. I want to allow users to connect to port
21, 80, 8443 of the windows machine from outside world as well as LAN
users ( the windows box will be in DMZ). Do I write a seperate command
for each port? I am unable to use multiple ports at a time. Can
someone give an example? Also, does RELATED & ESTABLISHED rules in
FORWARD and INPUT chains cover this too?

With warm regards,
-Payal

Re: NATting again

[Antony Stone]

On Friday 16 July 2004 4:50 pm, Payal Rathod wrote:

> Hi,
> A simple quesiton. I want to nat few ports from my Linux server to
> windows machine.
> I have a seperate IP for it. I want to allow users to connect to port
> 21, 80, 8443 of the windows machine from outside world as well as LAN
> users ( the windows box will be in DMZ). Do I write a seperate command
> for each port?

Yes.

> I am unable to use multiple ports at a time. Can
> someone give an example?

iptables -A PREROUTING -t nat -d a.b.c.d -p tcp --dport 21 -j DNAT --to 
w.x.y.z
iptables -A FORWARD -d w.x.y.z -p tcp --dport 21 -j ACCEPT

a.b.c.d is the public address you want people to connect to (this address must 
be attached to the external interface of the box running netfilter)
w.x.y.z is the "real" internal address of the Windows machine on your DMZ.

> Also, does RELATED & ESTABLISHED rules in
> FORWARD and INPUT chains cover this too?

No, just the FORWARD chain.

Regards,

Antony.

-- 
Software development can be quick, high quality, or low cost.

The customer gets to pick any two out of three.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: NATting again

[Payal Rathod]

Hi,

On Fri, 16 Jul 2004 17:03:42 +0100, Antony Stone 

> iptables -A PREROUTING -t nat -d a.b.c.d -p tcp --dport 21 -j DNAT --to
> w.x.y.z
> iptables -A FORWARD -d w.x.y.z -p tcp --dport 21 -j ACCEPT

Why is the FORWARD rule needed here? Doesn't the PREROUTING rule
handle the same or rather the rule in ESTABLISHED and RELATED in
FORWARD chain handle it? Why do we need a seperate FORWARD rule?

With warm regards,
-Payal

Re: NATting again

[Antony Stone]

On Friday 16 July 2004 6:49 pm, Payal Rathod wrote:

> Hi,
>
> On Fri, 16 Jul 2004 17:03:42 +0100, Antony Stone
>
> > iptables -A PREROUTING -t nat -d a.b.c.d -p tcp --dport 21 -j DNAT --to
> > w.x.y.z
> > iptables -A FORWARD -d w.x.y.z -p tcp --dport 21 -j ACCEPT
>
> Why is the FORWARD rule needed here?

Because without it, the DNAT rule will change the destination address of the 
packets, and then they won't be allowed through the next chain in sequence 
(PREROUTING --> FORWARD --> POSTROUTING).

If you *didn't* have a DNAT rule, you would need a FORWARD rule, so I think it 
would seem strange if you didn't need a FORWARD rule just because you'd 
changed the destination address.   (For example, what would happen if you 
used a DNAT rule which "changed" the address to the same as it already was?   
Or maybe two DNAT rules in a row - one changes it, and the next changes it 
back again?)

> Doesn't the PREROUTING rule handle the same

No, the PREROUTING rule does exactly what it says it does - it DNATs the 
packet.   Nothing more.

> or rather the rule in ESTABLISHED and RELATED in FORWARD chain handle it?

That rule will handle ESTABLISHED and RELATED packets, but we're talking about 
the first packet in the connection here, which is a NEW one.

> Why do we need a seperate FORWARD rule?

I hope I've explained that above.

Regards,

Antony.

-- 
Bill Gates has personally assured the Spanish Academy that he will never allow 
the upside-down question mark to disappear from Microsoft word-processing 
programs, which must be reassuring for millions of Spanish-speaking people, 
though just a piddling afterthought as far as he's concerned.

 - Lynne Truss, "Eats, Shoots and Leaves"

                                                     Please reply to the list;
                                                           please don't CC me.

Re: NATting again

[Payal Rathod]

Hi,

On Fri, 16 Jul 2004 19:27:55 +0100, Antony Stone 
> > Why is the FORWARD rule needed here?
> 
> Because without it, the DNAT rule will change the destination address of the
> packets, and then they won't be allowed through the next chain in sequence
> (PREROUTING --> FORWARD --> POSTROUTING).

I am sorry I don't undertand it much. Tell me one more thing if I have
10 machines in DMZ with 10 ports each to allow for outside world, does
that mean writing 100 FORWARD rules and 100 PREROUTING rules?
 
> If you *didn't* have a DNAT rule, you would need a FORWARD rule, so I think it
> would seem strange if you didn't need a FORWARD rule just because you'd
> changed the destination address.   (For example, what would happen if you
> used a DNAT rule which "changed" the address to the same as it already was?
> Or maybe two DNAT rules in a row - one changes it, and the next changes it
> back again?)

Sorry again, but this is just sounding greek to me now :)

With warm regards,
-Payal

Re: NATting again

[Antony Stone]

On Saturday 17 July 2004 5:07 am, Payal Rathod wrote:

> On Fri, 16 Jul 2004 19:27:55 +0100, Antony Stone
>
> > > Why is the FORWARD rule needed here?
> >
> > Because without it, the DNAT rule will change the destination address of
> > the packets, and then they won't be allowed through the next chain in
> > sequence (PREROUTING --> FORWARD --> POSTROUTING).
>
> I am sorry I don't undertand it much.

Try reading the section of Oskar Andreasson's tutorial discussing the path of 
packets through the chains and tables.

> Tell me one more thing if I have 10 machines in DMZ with 10 ports each to
> allow for outside world, does that mean writing 100 FORWARD rules and 100
> PREROUTING rules?

Yes.

You may find it possible to combine some of the rules by:

1. grouping IP addresses
2. using the multiport match
3. using a user-defined chain (if the ports to be allowed to all ten machines 
are the same, you can have 10 rules matching on the different IP addresses, 
all pointing to one user-defined chain, and then match the 10 ports in that 
chain)

However, one way or another you have to allow for each unique packet type you 
want to allow through your firewall.

100 rules is not a lot - people on this list have firewalls running with 
thousands of rules on them.

Regards,

Antony.

-- 
It is also possible that putting the birds in a laboratory setting 
inadvertently renders them relatively incompetent.

 - Daniel C Dennet

                                                     Please reply to the list;
                                                           please don't CC me.