PREROUTING

PREROUTING

[netfilter_user]

Hello everyone,

this is my problem:
My LAN is connected to Internet via Linux machine with 2 interface (
ppp0 - for internet and eth1 for local net). I need to connect from
local host, service that is running on port 23073 and 23083 UDP in
internet. For this i wrote afew rules with PREROUTING but when I start
script with rules below i receive:

Bad argument `PREROUTING'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `PREROUTING'
Try `iptables -h' or 'iptables --help' for more information.


iptables -t nat -A PREROUTING -p udp -d 80.50.60.185 --dport 23073 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A PREROUTING -p udp -d 80.50.60.185 --dport 23083 -j DNAT --to-destination 192.168.1.2

iptables -A FORWARD -p udp -d 192.168.1.2 --dport 23073 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.1.2 --dport 23083 -j ACCEPT

What maybe a reason of this msg?
Im using slackware 8.1 with iptables 1.2.6a

-- 
Best regards,
  mailto:netfilter_user@o2.pl

Re: PREROUTING

[SaVaGE]

Op dinsdag 29 april 2003 09:23, schreef netfilter_user:
> Hello everyone,
>
> this is my problem:
> My LAN is connected to Internet via Linux machine with 2 interface (
> ppp0 - for internet and eth1 for local net). I need to connect from
> local host, service that is running on port 23073 and 23083 UDP in
> internet. For this i wrote afew rules with PREROUTING but when I start
> script with rules below i receive:
>
> Bad argument `PREROUTING'
> Try `iptables -h' or 'iptables --help' for more information.
> Bad argument `PREROUTING'
> Try `iptables -h' or 'iptables --help' for more information.
>
>
> iptables -t nat -A PREROUTING -p udp -d 80.50.60.185 --dport 23073 -j DNAT
> --to-destination 192.168.1.2 iptables -t nat -A PREROUTING -p udp -d
> 80.50.60.185 --dport 23083 -j DNAT --to-destination 192.168.1.2
>
> iptables -A FORWARD -p udp -d 192.168.1.2 --dport 23073 -j ACCEPT
> iptables -A FORWARD -p udp -d 192.168.1.2 --dport 23083 -j ACCEPT
>
> What maybe a reason of this msg?
> Im using slackware 8.1 with iptables 1.2.6a

This behaviour is correct NATting is done on the POSTROUTING table !!!!


Pascal (PC-Secure Dutch security service)

Re: PREROUTING

[Frederic Gobin]

This is not really true ...

According to the iptables man page, DNAT is valid only in the OUTPUT 
and PREROUTING chain of the nat table. SNAT is only valid in the 
POSTROUTING chain of the nat table.

It could be a missing kernel option ...

Frederic Gobin

Am Dienstag, 29.04.03 um 09:49 Uhr schrieb SaVaGE:

> Op dinsdag 29 april 2003 09:23, schreef netfilter_user:
>> Hello everyone,
>>
>> this is my problem:
>> My LAN is connected to Internet via Linux machine with 2 interface (
>> ppp0 - for internet and eth1 for local net). I need to connect from
>> local host, service that is running on port 23073 and 23083 UDP in
>> internet. For this i wrote afew rules with PREROUTING but when I start
>> script with rules below i receive:
>>
>> Bad argument `PREROUTING'
>> Try `iptables -h' or 'iptables --help' for more information.
>> Bad argument `PREROUTING'
>> Try `iptables -h' or 'iptables --help' for more information.
>>
>>
>> iptables -t nat -A PREROUTING -p udp -d 80.50.60.185 --dport 23073 -j 
>> DNAT
>> --to-destination 192.168.1.2 iptables -t nat -A PREROUTING -p udp -d
>> 80.50.60.185 --dport 23083 -j DNAT --to-destination 192.168.1.2
>>
>> iptables -A FORWARD -p udp -d 192.168.1.2 --dport 23073 -j ACCEPT
>> iptables -A FORWARD -p udp -d 192.168.1.2 --dport 23083 -j ACCEPT
>>
>> What maybe a reason of this msg?
>> Im using slackware 8.1 with iptables 1.2.6a
>
> This behaviour is correct NATting is done on the POSTROUTING table !!!!
>
>
> Pascal (PC-Secure Dutch security service)
>

Re[2]: PREROUTING

[netfilter_user]

Hello SaVaGE,

Tuesday, April 29, 2003, 9:49:10 AM, you wrote:

S> Op dinsdag 29 april 2003 09:23, schreef netfilter_user:
>> Hello everyone,
>>
>> this is my problem:
>> My LAN is connected to Internet via Linux machine with 2 interface (
>> ppp0 - for internet and eth1 for local net). I need to connect from
>> local host, service that is running on port 23073 and 23083 UDP in
>> internet. For this i wrote afew rules with PREROUTING but when I start
>> script with rules below i receive:
>>
>> Bad argument `PREROUTING'
>> Try `iptables -h' or 'iptables --help' for more information.
>> Bad argument `PREROUTING'
>> Try `iptables -h' or 'iptables --help' for more information.
>>
>>
>> iptables -t nat -A PREROUTING -p udp -d 80.50.60.185 --dport 23073 -j DNAT
>> --to-destination 192.168.1.2 iptables -t nat -A PREROUTING -p udp -d
>> 80.50.60.185 --dport 23083 -j DNAT --to-destination 192.168.1.2
>>
>> iptables -A FORWARD -p udp -d 192.168.1.2 --dport 23073 -j ACCEPT
>> iptables -A FORWARD -p udp -d 192.168.1.2 --dport 23083 -j ACCEPT
>>
>> What maybe a reason of this msg?
>> Im using slackware 8.1 with iptables 1.2.6a

S> This behaviour is correct NATting is done on the POSTROUTING table !!!!


S> Pascal (PC-Secure Dutch security service)

ammm....im afraid its not correct because I have received msg like this:

 Bad argument `PREROUTING'
 Try `iptables -h' or 'iptables --help' for more information.
 Bad argument `PREROUTING'
 Try `iptables -h' or 'iptables --help' for more information.

...its not correct in my newbe opinion.

-- 
Best regards,
mailto:netfilter_user@o2.pl

Re: PREROUTING

[Eric Poulin]

You are absolutly right. Actually, the command is correct, and also working
fine in my environement, so I suspect also that some options by be missing in
the kernel.

Eric


> This is not really true ...
>
> According to the iptables man page, DNAT is valid only in the OUTPUT
> and PREROUTING chain of the nat table. SNAT is only valid in the
> POSTROUTING chain of the nat table.
>
> It could be a missing kernel option ...
>
> Frederic Gobin
>
> Am Dienstag, 29.04.03 um 09:49 Uhr schrieb SaVaGE:
>
> > Op dinsdag 29 april 2003 09:23, schreef netfilter_user:
> >> Hello everyone,
> >>
> >> this is my problem:
> >> My LAN is connected to Internet via Linux machine with 2 interface (
> >> ppp0 - for internet and eth1 for local net). I need to connect from
> >> local host, service that is running on port 23073 and 23083 UDP in
> >> internet. For this i wrote afew rules with PREROUTING but when I start
> >> script with rules below i receive:
> >>
> >> Bad argument `PREROUTING'
> >> Try `iptables -h' or 'iptables --help' for more information.
> >> Bad argument `PREROUTING'
> >> Try `iptables -h' or 'iptables --help' for more information.
> >>
> >>
> >> iptables -t nat -A PREROUTING -p udp -d 80.50.60.185 --dport 23073 -j
> >> DNAT
> >> --to-destination 192.168.1.2 iptables -t nat -A PREROUTING -p udp -d
> >> 80.50.60.185 --dport 23083 -j DNAT --to-destination 192.168.1.2
> >>
> >> iptables -A FORWARD -p udp -d 192.168.1.2 --dport 23073 -j ACCEPT
> >> iptables -A FORWARD -p udp -d 192.168.1.2 --dport 23083 -j ACCEPT
> >>
> >> What maybe a reason of this msg?
> >> Im using slackware 8.1 with iptables 1.2.6a
> >
> > This behaviour is correct NATting is done on the POSTROUTING table !!!!
> >
> >
> > Pascal (PC-Secure Dutch security service)
> >
>
>
>
>

Re: Re[2]: PREROUTING

[SaVaGE]

Op dinsdag 29 april 2003 14:53, schreef netfilter_user:
> Hello SaVaGE,
>
> Tuesday, April 29, 2003, 9:49:10 AM, you wrote:
>
> S> Op dinsdag 29 april 2003 09:23, schreef netfilter_user:
> >> Hello everyone,
> >>
> >> this is my problem:
> >> My LAN is connected to Internet via Linux machine with 2 interface (
> >> ppp0 - for internet and eth1 for local net). I need to connect from
> >> local host, service that is running on port 23073 and 23083 UDP in
> >> internet. For this i wrote afew rules with PREROUTING but when I start
> >> script with rules below i receive:
> >>
> >> Bad argument `PREROUTING'
> >> Try `iptables -h' or 'iptables --help' for more information.
> >> Bad argument `PREROUTING'
> >> Try `iptables -h' or 'iptables --help' for more information.
> >>
> >>
> >> iptables -t nat -A PREROUTING -p udp -d 80.50.60.185 --dport 23073 -j
> >> DNAT --to-destination 192.168.1.2 iptables -t nat -A PREROUTING -p udp
> >> -d 80.50.60.185 --dport 23083 -j DNAT --to-destination 192.168.1.2
> >>
> >> iptables -A FORWARD -p udp -d 192.168.1.2 --dport 23073 -j ACCEPT
> >> iptables -A FORWARD -p udp -d 192.168.1.2 --dport 23083 -j ACCEPT
> >>
> >> What maybe a reason of this msg?
> >> Im using slackware 8.1 with iptables 1.2.6a
>
> S> This behaviour is correct NATting is done on the POSTROUTING table !!!!
>
>
> S> Pascal (PC-Secure Dutch security service)
>
> ammm....im afraid its not correct because I have received msg like this:
>
>  Bad argument `PREROUTING'
>  Try `iptables -h' or 'iptables --help' for more information.
>  Bad argument `PREROUTING'
>  Try `iptables -h' or 'iptables --help' for more information.
>
> ...its not correct in my newbe opinion.


Sorry my fault wasn't wake at that time , maybe this will help::

iptables  -A PREROUTING -t nat -p udp -d 80.50.60.185 --dport
23073 -j DNAT --to 192.168.1.2:23073
iptables  -A PREROUTING -t nat -p udp -d 80.50.60.185 --dport
23083 -j DNAT --to 192.168.1.2:23083


let us know if it worked for you !

Re: Re[2]: PREROUTING

[Alistair Tonner]

On April 29, 2003 08:53 am, netfilter_user wrote:
> Hello SaVaGE,
>
> Tuesday, April 29, 2003, 9:49:10 AM, you wrote:
>
> S> Op dinsdag 29 april 2003 09:23, schreef netfilter_user:
> >> Hello everyone,
> >>
> >> this is my problem:
> >> My LAN is connected to Internet via Linux machine with 2 interface (
> >> ppp0 - for internet and eth1 for local net). I need to connect from
> >> local host, service that is running on port 23073 and 23083 UDP in
> >> internet. For this i wrote afew rules with PREROUTING but when I start
> >> script with rules below i receive:
> >>
> >> Bad argument `PREROUTING'
> >> Try `iptables -h' or 'iptables --help' for more information.
> >> Bad argument `PREROUTING'
> >> Try `iptables -h' or 'iptables --help' for more information.
> >>
> >>
> >> iptables -t nat -A PREROUTING -p udp -d 80.50.60.185 --dport 23073 -j
> >> DNAT --to-destination 192.168.1.2 iptables -t nat -A PREROUTING -p udp
> >> -d 80.50.60.185 --dport 23083 -j DNAT --to-destination 192.168.1.2
> >>
> >> iptables -A FORWARD -p udp -d 192.168.1.2 --dport 23073 -j ACCEPT
> >> iptables -A FORWARD -p udp -d 192.168.1.2 --dport 23083 -j ACCEPT
> >>
> >> What maybe a reason of this msg?
> >> Im using slackware 8.1 with iptables 1.2.6a
>
> S> This behaviour is correct NATting is done on the POSTROUTING table !!!!
>
>
> S> Pascal (PC-Secure Dutch security service)
>
> ammm....im afraid its not correct because I have received msg like this:
>
>  Bad argument `PREROUTING'
>  Try `iptables -h' or 'iptables --help' for more information.
>  Bad argument `PREROUTING'
>  Try `iptables -h' or 'iptables --help' for more information.
>
> ...its not correct in my newbe opinion.



	Actually DNAT is acceptable in the PREROUTING chain.
	change the --to-destination option to 
  	--to ip.ad.dr.ess:portnum
	or 
	--to ip.ad.dre.ss
	
-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

Re[4]: PREROUTING

[netfilter_user]

Hello Alistair,

Tuesday, April 29, 2003, 4:49:38 PM, you wrote:

AT> On April 29, 2003 08:53 am, netfilter_user wrote:
>> Hello SaVaGE,
>>
>> Tuesday, April 29, 2003, 9:49:10 AM, you wrote:
>>
>> S> Op dinsdag 29 april 2003 09:23, schreef netfilter_user:
>> >> Hello everyone,
>> >>
>> >> this is my problem:
>> >> My LAN is connected to Internet via Linux machine with 2 interface (
>> >> ppp0 - for internet and eth1 for local net). I need to connect from
>> >> local host, service that is running on port 23073 and 23083 UDP in
>> >> internet. For this i wrote afew rules with PREROUTING but when I start
>> >> script with rules below i receive:
>> >>
>> >> Bad argument `PREROUTING'
>> >> Try `iptables -h' or 'iptables --help' for more information.
>> >> Bad argument `PREROUTING'
>> >> Try `iptables -h' or 'iptables --help' for more information.
>> >>
>> >>
>> >> iptables -t nat -A PREROUTING -p udp -d 80.50.60.185 --dport 23073 -j
>> >> DNAT --to-destination 192.168.1.2 iptables -t nat -A PREROUTING -p udp
>> >> -d 80.50.60.185 --dport 23083 -j DNAT --to-destination 192.168.1.2
>> >>
>> >> iptables -A FORWARD -p udp -d 192.168.1.2 --dport 23073 -j ACCEPT
>> >> iptables -A FORWARD -p udp -d 192.168.1.2 --dport 23083 -j ACCEPT
>> >>
>> >> What maybe a reason of this msg?
>> >> Im using slackware 8.1 with iptables 1.2.6a
>>
>> S> This behaviour is correct NATting is done on the POSTROUTING table !!!!
>>
>>
>> S> Pascal (PC-Secure Dutch security service)
>>
>> ammm....im afraid its not correct because I have received msg like this:
>>
>>  Bad argument `PREROUTING'
>>  Try `iptables -h' or 'iptables --help' for more information.
>>  Bad argument `PREROUTING'
>>  Try `iptables -h' or 'iptables --help' for more information.
>>
>> ...its not correct in my newbe opinion.



AT>         Actually DNAT is acceptable in the PREROUTING chain.
AT>         change the --to-destination option to 
AT>         --to ip.ad.dr.ess:portnum
AT>         or 
AT>         --to ip.ad.dre.ss
        

Now I have to excuse everyone who answer on my mail... it is ofcourse
my fault. I made mistake and had written "iptables -t nat
PREROUTING..." and I should write like this "iptables -t nat -A
PREROUTING...". I have forgotten about "-A". Forgive me plz and thx
for your time and attention.

--
Best regards,
mailto:netfilter_user@o2.pl