Forwarding Help

Forwarding Help

[Michael Menges]

[-- Attachment #1.1: Type: text/plain, Size: 499 bytes --]

GlacierHello folks.  What's the best way to handle this situation:

I wish to have my gateway/firewall using iptables to forward incoming internet traffic destined to port 443 (https) to another machine on my localnet (192.168.0.10) keeping the same port number, obviously.  I'm on a cable connection with a dynamic IP address, of course. I've read the FAQ's and man page but yet unable to come up with the proper syntax.  Any generic command structures would be most helpful.

hasta,
Mike 


[-- Attachment #1.2: Type: text/html, Size: 1212 bytes --]

[-- Attachment #2: Glacier Bkgrd.jpg --]
[-- Type: image/jpeg, Size: 2743 bytes --]

Re: Forwarding Help

[Antony Stone]

On Thursday 20 November 2003 8:26 pm, Michael Menges wrote:

> GlacierHello folks.  What's the best way to handle this situation:
>
> I wish to have my gateway/firewall using iptables to forward incoming
> internet traffic destined to port 443 (https) to another machine on my
> localnet (192.168.0.10) keeping the same port number, obviously.  I'm on a
> cable connection with a dynamic IP address, of course. I've read the FAQ's
> and man page but yet unable to come up with the proper syntax.  Any generic
> command structures would be most helpful.

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j DNAT --to 
192.168.0.10
iptables -A FORWARD -d 192.168.0.1 -p tcp --dport 443 -j ACCEPT

eth0 is your external interface.   Adjust the rule if this assumption is 
incorrect

Ask if you don't see why the above rules do what you want.

PS: What does "Glacier" mean?

Antony.

-- 

How I want a drink, alcoholic of course, after the heavy chapters
involving quantum mechanics.

 - 3.14159265358979
                                                     Please reply to the list;
                                                           please don't CC me.

Re: Forwarding Help

[Eric Wood]

Glacier----- Original Message ----- 
>From: Michael Menges
>I wish to have my gateway/firewall using iptables to forward incoming
internet traffic destined to port 443 (https) to another machine on my
localnet
>(192.168.0.10) keeping the same port number, obviously.  I'm on a cable
connection with a dynamic IP address, of course. I've read the FAQ's and man
>page but yet unable to come up with the proper syntax.  Any generic command
structures would be most helpful.


As far as your dynamic ip address is concerned, I seen where a US Robotics
wireless router will actually update your DynDNS account for you
automatically without needing the software on your server.  I guess other
routers are coming with this feature built in now-a-days.

-eric wood

Re: Forwarding Help

[Jeffrey Laramie]

Antony Stone wrote:

>On Thursday 20 November 2003 8:26 pm, Michael Menges wrote:
>
>  
>
>>GlacierHello folks.  What's the best way to handle this situation:
>>
>>I wish to have my gateway/firewall using iptables to forward incoming
>>internet traffic destined to port 443 (https) to another machine on my
>>localnet (192.168.0.10) keeping the same port number, obviously.  I'm on a
>>cable connection with a dynamic IP address, of course. I've read the FAQ's
>>and man page but yet unable to come up with the proper syntax.  Any generic
>>command structures would be most helpful.
>>    
>>
>
>iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j DNAT --to 
>192.168.0.10
>iptables -A FORWARD -d 192.168.0.1 -p tcp --dport 443 -j ACCEPT
>  
>

Do you mean  -d 192.168.0.10 here?  ;-)

>eth0 is your external interface.   Adjust the rule if this assumption is 
>incorrect
>
>Ask if you don't see why the above rules do what you want.
>
>PS: What does "Glacier" mean?
>  
>

That didn't show up in my mail. I think it has something to do with his 
html formatting.

Jeff

Re: Forwarding Help

[Antony Stone]

On Thursday 20 November 2003 9:23 pm, Jeffrey Laramie wrote:

> Antony Stone wrote:
> >
> >iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j DNAT --to
> >192.168.0.10
> >iptables -A FORWARD -d 192.168.0.1 -p tcp --dport 443 -j ACCEPT
>
> Do you mean  -d 192.168.0.10 here?  ;-)

Definitely :-)

> >PS: What does "Glacier" mean?
>
> That didn't show up in my mail. I think it has something to do with his
> html formatting.

HTML????    Ugh!!!

Antony

-- 

In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.

In poetry, it is the exact opposite.

 - Paul Dirac
                                                     Please reply to the list;
                                                           please don't CC me.

Forwarding help

[sc2]

hello
i use iptables .7, but it does not work (forward) , any ideas?
thank you , 
ps: same rules down i have make for tcp match not only for udp

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -F FORWARD
iptables -t nat -F
iptables -A FORWARD -j LOG
iptables -A FORWARD -p udp -d ip --dport port -j ACCEPT
iptables -t nat -A PREROUTING -p udp -d ip --dport port -j DNAT --to 
ip:port

Re: Forwarding help

[zechim]

On Wed, 26 Nov 2003 sc2@gmx.at wrote:

||hello
||i use iptables .7, but it does not work (forward) , any ideas?
||thank you ,
||ps: same rules down i have make for tcp match not only for udp
||
||echo "1" > /proc/sys/net/ipv4/ip_forward
||iptables -F FORWARD
||iptables -t nat -F
||iptables -A FORWARD -j LOG
||iptables -A FORWARD -p udp -d ip --dport port -j ACCEPT
||iptables -t nat -A PREROUTING -p udp -d ip --dport port -j DNAT --to
||ip:port

iptables -t nat -A PREROUTING -p udp -d ip --dport port -j DNAT --to-destination
ip


||
||

+ Lucas de Camargo Zechim
+ Administrador TI
+
+ phone: 55 19 3492 8894
+
+  CNEC Capivari
+   Rua Barão do Rio Branco, 374
+   13360-000
+   Capivari / São Paulo / Brasil
+
+ email by pine 4.58 / Slackware Linux 9.1 / kernel 2.4.22-xfs
+ "Os poderosos podem matar uma, duas ou três rosas, mas
+ jamais consiguirão deter a primavera inteira"

Re: Forwarding help

[Antony Stone]

On Wednesday 26 November 2003 10:03 pm, sc2@gmx.at wrote:

> hello
> i use iptables .7, but it does not work (forward) , any ideas?
> thank you ,
> ps: same rules down i have make for tcp match not only for udp
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
> iptables -F FORWARD
> iptables -t nat -F
> iptables -A FORWARD -j LOG
> iptables -A FORWARD -p udp -d ip --dport port -j ACCEPT
> iptables -t nat -A PREROUTING -p udp -d ip --dport port -j DNAT --to
> ip:port

I assume in that last rule the two occurrences of "ip" are different.

Which one is specified in the FORWARD rule?   Make sure it is the translated 
address (ie the address on the packet after it has gone through the 
PREROUTING rule), because it will no longer have the original destination 
address by the time it hits the FORWARD chain.

If that's not the answer then post your actual ruleset (by all means munge the 
addresses if you don't want us to know exactly what they are, but let us see 
which ones are which...)

Antony.

-- 
Wanted: telepath.   You know where to apply.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Forwarding help

[sc2]

Thx for answer antony
here the complet rules list, sorry for this xx.xx.xx it was stupid from me
(full range)...
Ip : xx.xxx.24.51 , should be fw to ip: xx.xxx.24.58
(only for 1 port)
thank you

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -F FORWARD
iptables -t nat -F
iptables -A FORWARD -j LOG
iptables -A FORWARD -p udp -d xx.xxx.24.58 --dport xxx21 -j ACCEPT
iptables -t nat -A PREROUTING -p udp -d xx.xxx.24.51 --dport xxx21 -j
DNAT --to xx.xxx.24.58:xx021

iptables -A FORWARD -p tcp -d xx.xxx.24.58 --dport xxx21 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d xx.xxx.24.51 --dport xxx21 -j
DNAT --to xx.xxx.xx.58:xxx21


> On Wednesday 26 November 2003 10:03 pm, sc2@gmx.at wrote:
>
> > hello
> > i use iptables .7, but it does not work (forward) , any ideas?
> > thank you ,
> > ps: same rules down i have make for tcp match not only for udp
> >
> > echo "1" > /proc/sys/net/ipv4/ip_forward
> > iptables -F FORWARD
> > iptables -t nat -F
> > iptables -A FORWARD -j LOG
> > iptables -A FORWARD -p udp -d ip --dport port -j ACCEPT
> > iptables -t nat -A PREROUTING -p udp -d ip --dport port -j DNAT --to
> > ip:port
>
> I assume in that last rule the two occurrences of "ip" are different.
>
> Which one is specified in the FORWARD rule?   Make sure it is the
translated
> address (ie the address on the packet after it has gone through the
> PREROUTING rule), because it will no longer have the original destination
> address by the time it hits the FORWARD chain.
>
> If that's not the answer then post your actual ruleset (by all means munge
the
> addresses if you don't want us to know exactly what they are, but let us
see
> which ones are which...)
>
> Antony.
>
> -- 
> Wanted: telepath.   You know where to apply.
>
>                                                      Please reply to the
list;
>                                                            please don't CC
me.
>
>
>

Re: Forwarding help

[Antony Stone]

On Thursday 27 November 2003 11:07 am, sc2@gmx.at wrote:

> Thx for answer antony
> here the complet rules list, sorry for this xx.xx.xx it was stupid from me
> (full range)...
> Ip : xx.xxx.24.51 , should be fw to ip: xx.xxx.24.58
> (only for 1 port)
> thank you
>
> echo "1" > /proc/sys/net/ipv4/ip_forward
> iptables -F FORWARD
> iptables -t nat -F
> iptables -A FORWARD -j LOG
> iptables -A FORWARD -p udp -d xx.xxx.24.58 --dport xxx21 -j ACCEPT
> iptables -t nat -A PREROUTING -p udp -d xx.xxx.24.51 --dport xxx21 -j
> DNAT --to xx.xxx.24.58:xx021
>
> iptables -A FORWARD -p tcp -d xx.xxx.24.58 --dport xxx21 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp -d xx.xxx.24.51 --dport xxx21 -j
> DNAT --to xx.xxx.xx.58:xxx21

The only thing I can see missing here is a rule to allow the replies back 
through the Firewall in the other direction (the FORWARD rules you have shown 
only allow the first packet of the initial connection).

So "iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT" might 
be a good idea.

However, the fact that the original address, and the translated address, are 
both in the same network range, makes me ask "is the client which is trying 
to access xx.xxx.25.51 on the other side of the Firewall (ie the client must 
not be on the same subnet as the server xx.xxx.25.58)?"

My final question is: what is the actual port number (or alternatively, what 
is the service you are trying to NAT)?   Are you sure it is a protocol which 
doesn't mind being NATted (some do, some don't, some need helpers)?

Antony.

-- 
Abandon hope, all ye who enter here.
You'll feel much better about things once you do.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Forwarding help

[sc2]

so
a.)
>So "iptables -I FORWARD -m state --state >ESTABLISHED,RELATED -j ACCEPT"
might
>be a good idea.
i should include this ?

b.) the port / service is a udp/tcp , port of a half - life game server, so
the clients are not on the same subnet
they are connecting to x.24.51 > and should FW to .24.58:

cya

Re: Forwarding help

[Antony Stone]

On Thursday 27 November 2003 12:48 pm, sc2@gmx.at wrote:

> > So "iptables -I FORWARD -m state --state >ESTABLISHED,RELATED -j ACCEPT"
> > might be a good idea.
>
> i should include this ?

This will alloow the reply packets pack again - if you don't have this, you 
need a specific rule to allow those the same as you have a specific rule to 
allow the original packets.   Don't forget communications go both ways 
through a firewall :)

> b.) the port / service is a udp/tcp , port of a half - life game server, so
> the clients are not on the same subnet
> they are connecting to x.24.51 > and should FW to .24.58:

Does halflife work through NAT?

I don't know (maybe someone else here does), but you should be aware that 
there are some protocols which just work through NAT, some which are a bit of 
a challenge, and some which won't work at all.

I don't know which group halflife falls into.

Antony.

-- 
Most people have more than the average number of legs.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: Forwarding help

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 1381 bytes --]

On Thu, 2003-11-27 at 14:58, Antony Stone wrote:
> On Thursday 27 November 2003 12:48 pm, sc2@gmx.at wrote:
> 
> > > So "iptables -I FORWARD -m state --state >ESTABLISHED,RELATED -j ACCEPT"
> > > might be a good idea.
> >
> > i should include this ?
> 
> This will alloow the reply packets pack again - if you don't have this, you 
> need a specific rule to allow those the same as you have a specific rule to 
> allow the original packets.   Don't forget communications go both ways 
> through a firewall :)
> 
> > b.) the port / service is a udp/tcp , port of a half - life game server, so
> > the clients are not on the same subnet
> > they are connecting to x.24.51 > and should FW to .24.58:
> 
> Does halflife work through NAT?
> 
> I don't know (maybe someone else here does), but you should be aware that 
> there are some protocols which just work through NAT, some which are a bit of 
> a challenge, and some which won't work at all.
> 
Halflife like most network games uses UDP, so should be able to work
through nat.

> I don't know which group halflife falls into.
> 
> Antony.
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Forwarding help

[Antony Stone]

On Thursday 27 November 2003 1:14 pm, Ray Leach wrote:

> Halflife like most network games uses UDP, so should be able to work
> through nat.

I'm not sure I see the reasoning here.   Just because something uses UDP 
doesn't automatically mean it will work through nat?

The criterion for whether a protocol will work through nat or not is whether 
the IP address that each end-system thinks it has gets embedded in the 
communication somewhere or not.   If those addresses do get embedded in the 
packet contents, then it won't work through nat without a helper which 
understands where and how the embedding is done, and can fiddle about with 
it.

I don't think it makes any difference whether the packets get to the other end 
by TCP, UDP or anything else?

Antony.

-- 
The first fifty percent of an engineering project takes ninety percent of the 
time, and the remaining fifty percent takes another ninety percent of the 
time.

                                                     Please reply to the list;
                                                           please don't CC me.