DNAT query

DNAT query

[Payal Rathod]

Hi,
I am trying to redirect trafffic from outside to an internal machine.  
The setup is SuSE Linux 9.1 (i586) 2.6.4-52-default
# iptables --version
iptables v1.2.9

When I give,
# iptables -t nat -I OUTPUT -d dyn.example.com -p tcp --dport 8000 -j DNAT --to-destination 192.168.10.2:8000
iptables: Target problem

What exactly is wrong? If I try it on my Mandrake box it works. Any 
ideas?
Thanks in advance.
With warm regards,
-Payal

Re: DNAT query

[Rob Sterenborg]

On Fri, November 11, 2005 11:30, Payal Rathod wrote:
> Hi,
> I am trying to redirect trafffic from outside to an internal machine.
> The setup is SuSE Linux 9.1 (i586) 2.6.4-52-default
> # iptables --version
> iptables v1.2.9
>
> When I give,
> # iptables -t nat -I OUTPUT -d dyn.example.com -p tcp --dport 8000 -j
> DNAT --to-destination 192.168.10.2:8000
> iptables: Target problem
>
> What exactly is wrong? If I try it on my Mandrake box it works. Any
> ideas?

Can't say that I've had any problems with this. Try:

iptables -t nat -I PREROUTING -d dyn.example.com -p tcp --dport 8000 \
  -j DNAT --to-destination 192.168.10.2:8000


Gr,
Rob

Re: DNAT query

[Jörg Harmuth]

Payal Rathod schrieb:
> Hi,
> I am trying to redirect trafffic from outside to an internal machine.  
> The setup is SuSE Linux 9.1 (i586) 2.6.4-52-default
> # iptables --version
> iptables v1.2.9
> 
> When I give,
> # iptables -t nat -I OUTPUT -d dyn.example.com -p tcp --dport 8000 -j DNAT --to-destination 192.168.10.2:8000
> iptables: Target problem
> 
> What exactly is wrong? If I try it on my Mandrake box it works. Any 
> ideas?

Some time ago I had a similar problem with SLES8 and nat/OUTPUT. The
reason was, that is was the _only_ netfilter optio, that wasn't compiled
into the kernel :) I generally don't work with SuSE, so I don't know.
Bur maybe they still don't compile it as a kernel module.

HTH,

Joerg

Re: DNAT query

[Jörg Harmuth]

Payal Rathod schrieb:
> Hi,
> I am trying to redirect trafffic from outside to an internal machine.  
> The setup is SuSE Linux 9.1 (i586) 2.6.4-52-default
> # iptables --version
> iptables v1.2.9
> 
> When I give,
> # iptables -t nat -I OUTPUT -d dyn.example.com -p tcp --dport 8000 -j DNAT --to-destination 192.168.10.2:8000
> iptables: Target problem
> 
> What exactly is wrong? If I try it on my Mandrake box it works. Any 
> ideas?

Some time ago I had a similar problem with SLES8 and nat/OUTPUT. The
reason was, that is was the _only_ netfilter optio, that wasn't compiled
into the kernel :) I generally don't work with SuSE, so I don't know.
Bur maybe they still don't compile it as a kernel module.

HTH,

Joerg

Re: DNAT query

[Payal Rathod]

On Fri, Nov 11, 2005 at 11:57:02AM +0100, J?rg Harmuth wrote:
> Some time ago I had a similar problem with SLES8 and nat/OUTPUT. The
> reason was, that is was the _only_ netfilter optio, that wasn't compiled
> into the kernel :) I generally don't work with SuSE, so I don't know.
> Bur maybe they still don't compile it as a kernel module.

So what do you suggest? How do I use it now? Do I have to recomiple te 
kernel for that? I never done that before.
With warm regards,
-Payal

Re: DNAT query

[Payal Rathod]

On Fri, Nov 11, 2005 at 11:46:19AM +0100, Rob Sterenborg wrote:
> iptables -t nat -I PREROUTING -d dyn.example.com -p tcp --dport 8000 \
>   -j DNAT --to-destination 192.168.10.2:8000

This does work (sorry I should have mentioned it before). But I also 
need the OUTPUT rule too, right?

With warm regards,
-Payal

Re: DNAT query

[Jörg Harmuth]

Payal Rathod schrieb:
> On Fri, Nov 11, 2005 at 11:57:02AM +0100, J?rg Harmuth wrote:
> 
>>Some time ago I had a similar problem with SLES8 and nat/OUTPUT. The
>>reason was, that is was the _only_ netfilter optio, that wasn't compiled
>>into the kernel :) I generally don't work with SuSE, so I don't know.
>>Bur maybe they still don't compile it as a kernel module.
> 
> 
> So what do you suggest? How do I use it now? Do I have to recomiple te 
> kernel for that? I never done that before.
> With warm regards,
> -Payal

It depends. But as Robs solution works for you, it looks like you only
need to redirect/forward connections (roughly: PREROUTING -> FORWARD ->
POSTROUTING). You only need nat/OUTPUT for packets, generated on the
firewall itself (roughly: local process -> OUTPUT -> POSTROUTING). If
you need to redirect locally generated packets *and* nat/OUTPUT isn't
compiled - well, yes then you have to compile the module from the kernel
sources (which in this case is simple, because you only have to enable
one option).

HTH,

Joerg

Re: DNAT query

[Payal Rathod]

On Fri, Nov 11, 2005 at 01:20:13PM +0100, J?rg Harmuth wrote:
> It depends. But as Robs solution works for you, it looks like you only
> need to redirect/forward connections (roughly: PREROUTING -> FORWARD ->
> POSTROUTING). You only need nat/OUTPUT for packets, generated on the
> firewall itself (roughly: local process -> OUTPUT -> POSTROUTING). If
[...]

I am sorry but you lost me here. Can you give the complete ruleset which 
I need now. I always thought I needed PREROUTING as well as OUTPUT.
Thanks in advance.
With warm regards,
-Payal