DNAT and SNAT

Linux Netfilter discussions
 help / color / mirror / Atom feed

* DNAT and SNAT
@ 2008-09-03 14:02 Fabrizio Regalli
  2008-09-03 14:43 ` Fabrizio Regalli
  0 siblings, 1 reply; 3+ messages in thread
From: Fabrizio Regalli @ 2008-09-03 14:02 UTC (permalink / raw)
  To: netfilter

Hi list.

I have a router "closed" and I can't using PAT but I need to forward
the ssh port to another external port (50002)
My router is 192.168.1.1
My server is 192.168.1.2
My client is 192.168.1.3
In other words I need to forward the ssh port of 192.168.1.3 to server ip:50002

For PREROUTING rule I suppose this is right:

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 50002 -j DNAT
--to-destination 192.168.1.3:22

For POSTROUTING rule, I need an help. I'm trying in this way:

iptables -t nat -A POSTROUTING -p tcp -m tcp -d 192.168.1.2 --dport 22
-j SNAT --to-source 192.168.1.2:50002

But unfortunately it doesn't work.

Could please someone give me a suggest for POSTROUTING rule?

Thanks in advance.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: DNAT and SNAT
  2008-09-03 14:02 DNAT and SNAT Fabrizio Regalli
@ 2008-09-03 14:43 ` Fabrizio Regalli
  2008-09-04 10:41   ` ArcosCom Linux User
  0 siblings, 1 reply; 3+ messages in thread
From: Fabrizio Regalli @ 2008-09-03 14:43 UTC (permalink / raw)
  To: netfilter

I've found the right rules:

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 50002 -j DNAT
--to-destination 192.168.1.3:22

iptables -t nat -A POSTROUTING -p tcp -m tcp -d 192.168.1.3 --dport 22
-j SNAT --to-source 192.168.1.2:50002

iptables -P FORWARD ACCEPT

Now works.

Thanks.
Fabrizio

2008/9/3 Fabrizio Regalli <fabreg@gmail.com>:
> Hi list.
>
> I have a router "closed" and I can't using PAT but I need to forward
> the ssh port to another external port (50002)
> My router is 192.168.1.1
> My server is 192.168.1.2
> My client is 192.168.1.3
> In other words I need to forward the ssh port of 192.168.1.3 to server ip:50002
>
> For PREROUTING rule I suppose this is right:
>
> iptables -t nat -A PREROUTING -p tcp -m tcp --dport 50002 -j DNAT
> --to-destination 192.168.1.3:22
>
> For POSTROUTING rule, I need an help. I'm trying in this way:
>
> iptables -t nat -A POSTROUTING -p tcp -m tcp -d 192.168.1.2 --dport 22
> -j SNAT --to-source 192.168.1.2:50002
>
> But unfortunately it doesn't work.
>
> Could please someone give me a suggest for POSTROUTING rule?
>
> Thanks in advance.
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: DNAT and SNAT
  2008-09-03 14:43 ` Fabrizio Regalli
@ 2008-09-04 10:41   ` ArcosCom Linux User
  0 siblings, 0 replies; 3+ messages in thread
From: ArcosCom Linux User @ 2008-09-04 10:41 UTC (permalink / raw)
  To: netfilter

The solution is not to "allow all" in "forwading" in your router.

Think how the tables work:
   * The nat is for the NAT operations.
   * The filter is for filter operations.

If you are not allowing all forwarding traffic, then you need to put
analogous rule to your NAT rule in your nat table into your filter table.

For example, if you want to redirect 50002 from external to internal, you
must allow this in filter table, something as:

iptables -t filter -A FORWARD -p tcp -m tcp --dport 50002 -d 192.168.1.3
-j ACCEPT

Perhaps you need more rules, for example one to delimite the input and
another for the output, because you are using diferent ports in external
interface and destination host.

The idea is only allow the things you need.

Regards

El Mie, 3 de Septiembre de 2008, 16:43, Fabrizio Regalli escribió:
> I've found the right rules:
>
> iptables -t nat -A PREROUTING -p tcp -m tcp --dport 50002 -j DNAT
> --to-destination 192.168.1.3:22
>
> iptables -t nat -A POSTROUTING -p tcp -m tcp -d 192.168.1.3 --dport 22
> -j SNAT --to-source 192.168.1.2:50002
>
> iptables -P FORWARD ACCEPT
>
> Now works.
>
> Thanks.
> Fabrizio
>
> 2008/9/3 Fabrizio Regalli <fabreg@gmail.com>:
>> Hi list.
>>
>> I have a router "closed" and I can't using PAT but I need to forward
>> the ssh port to another external port (50002)
>> My router is 192.168.1.1
>> My server is 192.168.1.2
>> My client is 192.168.1.3
>> In other words I need to forward the ssh port of 192.168.1.3 to server
>> ip:50002
>>
>> For PREROUTING rule I suppose this is right:
>>
>> iptables -t nat -A PREROUTING -p tcp -m tcp --dport 50002 -j DNAT
>> --to-destination 192.168.1.3:22
>>
>> For POSTROUTING rule, I need an help. I'm trying in this way:
>>
>> iptables -t nat -A POSTROUTING -p tcp -m tcp -d 192.168.1.2 --dport 22
>> -j SNAT --to-source 192.168.1.2:50002
>>
>> But unfortunately it doesn't work.
>>
>> Could please someone give me a suggest for POSTROUTING rule?
>>
>> Thanks in advance.
>>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2008-09-04 10:41 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-09-03 14:02 DNAT and SNAT Fabrizio Regalli
2008-09-03 14:43 ` Fabrizio Regalli
2008-09-04 10:41   ` ArcosCom Linux User

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox