DNAT question..

DNAT question..

[Rio Martin.]

Dear all,
I describe first about my network:

INTERNET --- eth0 [ NAT+Firewall Linux ] eth1 --- LAN

eth0 would be my public ip = 211.1.1.10
eth1 would be my private ip = 192.168.1.1

On NAT+Firewall Linux i applied this rule:
iptables -t nat -A PREROUTING -p tcp -d 211.1.1.10 --dport 80 -j DNAT --to 
192.168.1.2:80
This is rule for redirecting to local webserver.

I tried to test it from outside network (internet), surf to http://211.1.1.10 
and it succeed.
But from inside LAN network (192.168.1.3) i am unable to browse to 
http://211.1.1.10

Let me know how to make this also worked from inside LAN Network.
Thanks ..

Regards,
Rio Martin.
-- 
Don't cook tonight -- starve a rat today!

Re: DNAT question..

[Philip Craig]

Rio Martin. wrote:
> Dear all,
> I describe first about my network:
> 
> INTERNET --- eth0 [ NAT+Firewall Linux ] eth1 --- LAN
> 
> eth0 would be my public ip = 211.1.1.10
> eth1 would be my private ip = 192.168.1.1
> 
> On NAT+Firewall Linux i applied this rule:
> iptables -t nat -A PREROUTING -p tcp -d 211.1.1.10 --dport 80 -j DNAT --to 
> 192.168.1.2:80
> This is rule for redirecting to local webserver.
> 
> I tried to test it from outside network (internet), surf to http://211.1.1.10 
> and it succeed.
> But from inside LAN network (192.168.1.3) i am unable to browse to 
> http://211.1.1.10

You need to SNAT internal connections so that replies go via the
firewall instead of directly to the client, otherwise the firewall
cannot reverse the DNAT and the client drops the reply packet.

Try this rule:

iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 80 -j SNAT --to 192.168.1.1

-- 
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances

Re: DNAT question..

[Rio Martin.]

On Thursday 24 July 2003 15:29, you wrote:
> Rio Martin. wrote:
> > Dear all,
> > I describe first about my network:
> > INTERNET --- eth0 [ NAT+Firewall Linux ] eth1 --- LAN
> > eth0 would be my public ip = 211.1.1.10
> > eth1 would be my private ip = 192.168.1.1
> > On NAT+Firewall Linux i applied this rule:
> > iptables -t nat -A PREROUTING -p tcp -d 211.1.1.10 --dport 80 -j DNAT
> > --to 192.168.1.2:80
> > This is rule for redirecting to local webserver.
> > I tried to test it from outside network (internet), surf to
> > http://211.1.1.10 and it succeed.
> > But from inside LAN network (192.168.1.3) i am unable to browse to
> > http://211.1.1.10
> You need to SNAT internal connections so that replies go via the
> firewall instead of directly to the client, otherwise the firewall
> cannot reverse the DNAT and the client drops the reply packet.
> Try this rule:
> iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 192.168.1.2
> --dport 80 -j SNAT --to 192.168.1.1

i dont know, i tried but it still wont connect to webserver.
Connection Refused.

Regards,
Rio Martin.
-- 
You can measure a programmer's perspective by noting his attitude on
the continuing viability of FORTRAN.
		-- Alan Perlis

Re: DNAT question..

[Chris Wilson]

Hi Rio,

> > You need to SNAT internal connections so that replies go via the
> > firewall instead of directly to the client, otherwise the firewall
> > cannot reverse the DNAT and the client drops the reply packet.
> > Try this rule:
> > iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 192.168.1.2
> > --dport 80 -j SNAT --to 192.168.1.1
> 
> i dont know, i tried but it still wont connect to webserver.
> Connection Refused.

Is it possible that an earlier rule in the POSTROUTING chain is overriding 
this one? Could you try:

	iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.1.2
		-p tcp --dport 80 -j MASQUERADE

If that doesn't work, please send your ruleset (iptables -L -n -v; 
iptables -t nat -L -n -v) and tcpdump of packets on the internal interface 
of your firewall when you try to connect.

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |

Re: DNAT question..

[Gonzalez, Federico]

Hi Rio,

   I think the problem is in the destination IP address, you have to use the
external IP, so i think the rule should be:

iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 211.1.1.10
   --dport 80 -j SNAT --to 192.168.1.1

Hope this help

Federico.

Chris Wilson wrote:

> Hi Rio,
>
> > > You need to SNAT internal connections so that replies go via the
> > > firewall instead of directly to the client, otherwise the firewall
> > > cannot reverse the DNAT and the client drops the reply packet.
> > > Try this rule:
> > > iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 192.168.1.2
> > > --dport 80 -j SNAT --to 192.168.1.1
> >
> > i dont know, i tried but it still wont connect to webserver.
> > Connection Refused.
>
> Is it possible that an earlier rule in the POSTROUTING chain is overriding
> this one? Could you try:
>
>         iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.1.2
>                 -p tcp --dport 80 -j MASQUERADE
>
> If that doesn't work, please send your ruleset (iptables -L -n -v;
> iptables -t nat -L -n -v) and tcpdump of packets on the internal interface
> of your firewall when you try to connect.
>
> Cheers, Chris.
> --
>    ___ __     _
>  / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
> / (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
> \ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |

Re: DNAT question..

[Cedric Blancher]

Le jeu 24/07/2003 à 15:37, Gonzalez, Federico a écrit :
>    I think the problem is in the destination IP address, you have to use the
> external IP, so i think the rule should be:
> iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 211.1.1.10
>    --dport 80 -j SNAT --to 192.168.1.1

Don't think so. In POSTROUTING chain, DNAT has already occured, then
original destination (211.1.1.10) has already been changed to
192.168.1.2.

Problem must sit elsewhere (next to the truth out there) ;)

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Not quite understanding DNAT

[Coutts, Ashe (Testing Account)]

I have set up a very basic firewall for our system. 
We have 126 addresses to be used to/from the outside world (204.48.178.0/25) 
and are using 10.x numbers on the inside.

It is working almost as I expected except for the following. The DNAT 
connections come into the system fine but are seen as originating from the 
eth0 interface rather than their eth0:x interface. So, when attaching to a linux 
cpu with ssh I am needing to place the ip# for the eth0 interface in the 
hosts.allow file rather than the much more restrictive eth0:x ip#. Can it be set 
up so the connection is between the external eth0:x ip# and its linked internal 
ip#?

Any help or suggestions would be greatly appreciated.

Thanks

============  Start iptables script ================
#!/bin/sh
/root/bin/NatReset

# First the "outside" eth0 interface on the firewall
/sbin/ifconfig eth0 204.48.178.2 netmask 255.255.255.128  \
        broadcast 204.48.178.127 up

### Now add aliases to eth0 to users/hosts from the  outside.
/sbin/ifconfig eth0:3 204.48.178.3 netmask 255.255.255.128  \
       broadcast 204.48.178.127 up
/sbin/ifconfig eth0:4 204.48.178.4 netmask 255.255.255.128  \
       broadcast 204.48.178.127 up
/sbin/ifconfig eth0:4 204.48.178.5 netmask 255.255.255.128  \
       broadcast 204.48.178.127 up

###  ethernet "eth1", i.e. the "inside" interface for the firewall 
/sbin/ifconfig eth1 10.0.0.1 netmask 255.255.255.248  \
       broadcast 10.0.0.7 up


## Set up outside access to the mainframe
/sbin/iptables --table nat --append PREROUTING  --destination 204.48.178.3   \
               --jump DNAT --to 10.5.2.104

## Set up outside access to a Windows 2000 cpu
/sbin/iptables --table nat --append PREROUTING  --destination 204.48.178.4   \
               --jump DNAT --to 10.5.2.105
               
#  Set up inside and outside 1 to 1 mapping for W2K user
/sbin/iptables --table nat --append PREROUTING  --destination 204.48.178.5   \
                           --jump DNAT --to 10.5.2.107
/sbin/iptables --table nat --append POSTROUTING --source 10.5.2.107/32       \
               --jump SNAT --to 204.48.178.5

## Setup NAT from entire WAN to the outside world
/sbin/iptables --table nat  --append POSTROUTING --source 0.0.0.0/0          \
               --jump SNAT --to 204.48.178.2

## Now set the genaral policies
/sbin/iptables --policy INPUT   DROP
/sbin/iptables --policy FORWARD ACCEPT
/sbin/iptables --policy OUTPUT  DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
============  End iptables script ================




"Experience is not what happens to you, it
 is what you do with what happens to you"
       -- Aldous Huxley (1894-1963)

   Ashe Coutts (acoutts@sbsdk12.org)
   805.963.7751 Ext 260
   Fax 805.884.1557

RE: Not quite understanding DNAT

[Aldo S. Lagana]

Ethernet aliases - are just aliases - that means they are a different name
for the same thing.  So your eth0:x interface is actually eth0 to many
services that run on linux.  Netfilter (iptables) works perfectly well with
aliases and you can specify rules with aliases.

It is the end server applications that are not very
alias-friendly...FreeS/WAN is one of them - and like you said - SHH is one
too.


-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Coutts, Ashe
(Testing Account)
Sent: Thursday, July 24, 2003 12:23 PM
To: netfilter@lists.netfilter.org

I have set up a very basic firewall for our system. 
We have 126 addresses to be used to/from the outside world (204.48.178.0/25)

and are using 10.x numbers on the inside.

It is working almost as I expected except for the following. The DNAT 
connections come into the system fine but are seen as originating from the 
eth0 interface rather than their eth0:x interface. So, when attaching to a
linux 
cpu with ssh I am needing to place the ip# for the eth0 interface in the 
hosts.allow file rather than the much more restrictive eth0:x ip#. Can it be
set 
up so the connection is between the external eth0:x ip# and its linked
internal 
ip#?

Any help or suggestions would be greatly appreciated.

Thanks

============  Start iptables script ================
#!/bin/sh
/root/bin/NatReset

# First the "outside" eth0 interface on the firewall
/sbin/ifconfig eth0 204.48.178.2 netmask 255.255.255.128  \
        broadcast 204.48.178.127 up

### Now add aliases to eth0 to users/hosts from the  outside.
/sbin/ifconfig eth0:3 204.48.178.3 netmask 255.255.255.128  \
       broadcast 204.48.178.127 up
/sbin/ifconfig eth0:4 204.48.178.4 netmask 255.255.255.128  \
       broadcast 204.48.178.127 up
/sbin/ifconfig eth0:4 204.48.178.5 netmask 255.255.255.128  \
       broadcast 204.48.178.127 up

###  ethernet "eth1", i.e. the "inside" interface for the firewall 
/sbin/ifconfig eth1 10.0.0.1 netmask 255.255.255.248  \
       broadcast 10.0.0.7 up


## Set up outside access to the mainframe
/sbin/iptables --table nat --append PREROUTING  --destination 204.48.178.3
\
               --jump DNAT --to 10.5.2.104

## Set up outside access to a Windows 2000 cpu
/sbin/iptables --table nat --append PREROUTING  --destination 204.48.178.4
\
               --jump DNAT --to 10.5.2.105
               
#  Set up inside and outside 1 to 1 mapping for W2K user
/sbin/iptables --table nat --append PREROUTING  --destination 204.48.178.5
\
                           --jump DNAT --to 10.5.2.107
/sbin/iptables --table nat --append POSTROUTING --source 10.5.2.107/32
\
               --jump SNAT --to 204.48.178.5

## Setup NAT from entire WAN to the outside world
/sbin/iptables --table nat  --append POSTROUTING --source 0.0.0.0/0
\
               --jump SNAT --to 204.48.178.2

## Now set the genaral policies
/sbin/iptables --policy INPUT   DROP
/sbin/iptables --policy FORWARD ACCEPT
/sbin/iptables --policy OUTPUT  DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
============  End iptables script ================




"Experience is not what happens to you, it
 is what you do with what happens to you"
       -- Aldous Huxley (1894-1963)

   Ashe Coutts (acoutts@sbsdk12.org)
   805.963.7751 Ext 260
   Fax 805.884.1557

Re: Not quite understanding DNAT

[Philip Craig]

Coutts, Ashe (Testing Account) wrote:
> It is working almost as I expected except for the following. The DNAT 
> connections come into the system fine but are seen as originating from the 
> eth0 interface rather than their eth0:x interface. So, when attaching to a linux 
> cpu with ssh I am needing to place the ip# for the eth0 interface in the 
> hosts.allow file rather than the much more restrictive eth0:x ip#. Can it be set 
> up so the connection is between the external eth0:x ip# and its linked internal 
> ip#?

If all you are doing is DNATing, then the source address should be
the real external source address, not eth0 *or* eth0:x.

> ## Setup NAT from entire WAN to the outside world
> /sbin/iptables --table nat  --append POSTROUTING --source 0.0.0.0/0          \
>                --jump SNAT --to 204.48.178.2

But here we see that you are SNATing everything.  This is probably
not what you want.  I expect you only want to SNAT outgoing traffic:

## Setup NAT from entire WAN to the outside world
/sbin/iptables --table nat  --append POSTROUTING --out-interface eth0          \
                  --jump SNAT --to 204.48.178.2

With this rule, you should now place the real external hosts in
your hosts.allow, rather than any IP address that belongs to the
firewall.

-- 
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances

Re: Not quite understanding DNAT

[Chris Wilson]

Hi Ashe,

> I have set up a very basic firewall for our system. 
> We have 126 addresses to be used to/from the outside world (204.48.178.0/25) 
> and are using 10.x numbers on the inside.
> 
> It is working almost as I expected except for the following. The DNAT 
> connections come into the system fine but are seen as originating from the 
> eth0 interface rather than their eth0:x interface. So, when attaching to a linux 
> cpu with ssh I am needing to place the ip# for the eth0 interface in the 
> hosts.allow file rather than the much more restrictive eth0:x ip#. Can it be set 
> up so the connection is between the external eth0:x ip# and its linked internal 
> ip#?

You could try:

	route add <internal-server-10.0.0.x> dev eth0 \
		gw <address-of-eth0:x>

Using an address of your own box as the gateway of a route will cause
locally-generated traffic going down that route to come from that address,
instead of the default address on the device. This should mean that the
masquerading uses that address too, but I haven't tested it.

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |

Re: Not quite understanding DNAT

[Cedric Blancher]

Le ven 25/07/2003 à 11:47, Chris Wilson a écrit :
> You could try:
> 	route add <internal-server-10.0.0.x> dev eth0 \
> 		gw <address-of-eth0:x>
> Using an address of your own box as the gateway of a route will cause
> locally-generated traffic going down that route to come from that address,
> instead of the default address on the device. This should mean that the
> masquerading uses that address too, but I haven't tested it.

I've just tested this, it does not work as I was expecting.

Therefore, you can use iproute2 to achieve this kind of behaviour. You
can specify to use an arbitrary local IP as source for a given route.
Ashe, you should try this :

	ip route add $INSERV dev eth0 src $SRCIP

I use this quite often on net2net VPN using FreeS/WAN to force gateways
to use their private IP when communicating through the tunnel.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: dnat question

[Edmundo Carmona]

Don't include any port... that should be enough.

iptables -t nat -A PREROUTING -p tcp -j DNAT --to-destination x.x.x.x:80

On 2/14/06, James Edward Stickland <jstic04@cp.centennialcollege.ca> wrote:
> Hello, could someone help me with writing a rule to do the following
>
> All tcp connections on all port numbers 1-65534 be dnat'ed to host
> x.x.x.x on port 80
>
> im setting up a simple honey pot. for new connections coming to my wan
> interface.
>
> i know i could do separate prerouting chain in the nat table entries
> for each port - but how can i do a one liner?
>
>

dnat question

[James Edward Stickland]

Hello, could someone help me with writing a rule to do the following

All tcp connections on all port numbers 1-65534 be dnat'ed to host 
x.x.x.x on port 80

im setting up a simple honey pot. for new connections coming to my wan 
interface.

i know i could do separate prerouting chain in the nat table entries 
for each port - but how can i do a one liner?

dnat question

[Gene Dellinger]

I want to do the following
I have a primary server in my Hawaii office that clients(20.20.20.2) in
Hawai connect to.
Currently through straight forward routing they connect directly to the IP
4.4.4.2
I would like to have them connect to my firewall(3.3.3.2) and port forward
the connections to 4.4.4.2
 that was done using iptables -t nat PREROUTING -s 20.20.20.2 -p tcp --dport
22 -j DNAT --to-destination 4.4.4.2
To provide an emergency backup should something happen to the main server in
Hawaii, I would like to change the PREROUTING to
  -j DNAT --to-destination 6.6.6.2

I have set it up, but when I am looking at the packet trail I see it get to
my backup server, and then die, no return packets
are sent back to the client. Interesting note: I can gain access from the
clients direct to the backup server(i.e. from client station ssh 6.6.6.2),
but that takes my ability to switch to the backup in one spot at the
firewall. I have had pretty good luck with iptables in the past but this one
has me stumped.

Below is the network config.


 client	   	   	                        				               linux
 20.20.20.2>--->router >-1.1.1.1-(WAN T1)--1.1.1.2->router
>-3.3.3.1--(LAN)--3.3.3.2-> firewall >-4.4.4.1--(LAN)--4.4.4.2-> main server
           HAWAII		   			          2.2.2.1                        HAWAII
							    		|
									|
							    	  (WAN T1)
							            |
									|
				   				   2.2.2.2                            linux
				   				   router >-5.5.5.1--(LAN)--5.5.5.2-> firewall
>-6.6.6.1--(LAN)--6.6.6.2-> backup server
				                                                          CALIFORNIA

Thanks
Gene Dellinger
IT Systems Engineer
POH, Inc.

Re: DNAT question

[John A. Sullivan III]

On Mon, 2004-06-14 at 10:35, Arnauts, Bert wrote:
> Hello all,
> 
> I want to DNAT some machines in another subnet.
> The target machines have ip's like 11.0.0.x/24
> 
> My available lan ip's are 172.239.239.x/27 (255.255.255.224)
> 
> These are my rules. Wich are apparently not working.
> I created virtual interfaces on eth1, one for each DNAT'ed ip.
> 
> What am I missing ? Forget about normal tables stuff, I only want this
> machine to do DNAT.
> 
> Thx,
> 
> 
> INET_IP="172.25.239.208"
> INET_IFACE="eth1"
> INET_BROADCAST="172.25.239.223"
> LAN_IP="11.0.0.1"
> LAN_IP_RANGE="11.0.0.0/24"
> LAN_IFACE="eth0"
> LO_IFACE="lo"
> LO_IP="127.0.0.1"
> IPTABLES="/sbin/iptables"
> echo "1" > /proc/sys/net/ipv4/ip_forward
> $IPTABLES --flush
> $IPTABLES --table nat --flush
> $IPTABLES --delete-chain
> $IPTABLES --table nat --delete-chain
> $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source
> $INET_IP
> $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
> $IPTABLES -t nat -A PREROUTING -d 172.25.239.220/255.255.255.224 -j
> DNAT --to 11.0.0.9

Now that I look at it while awake :-), that last rule looks a bit
strange.  Do you mean -d 172.25.239.220/255.255.255.255 or
172.25.239.192/255.255.255.224?

I believe iptables is looking for the base address of the network when
used with a subnet mask and not the node address.
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

RE: DNAT question

[Arnauts, Bert]

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: Monday, June 14, 2004 4:51 PM
To: netfilter@lists.netfilter.org
Subject: Re: DNAT question

On Monday 14 June 2004 3:35 pm, Arnauts, Bert wrote:

> Hello all,
>
> I want to DNAT some machines in another subnet.
> The target machines have ip's like 11.0.0.x/24
>
> My available lan ip's are 172.239.239.x/27 (255.255.255.224)
>
> These are my rules. Wich are apparently not working.

How are you trying to test the rules?   What tells you they're not
working?

Where are you testing from?

I am testing from a machine that can ping the nat box'es IP and I can
access all sorts of other systems services on that subnet.
(my nat box : 172.25.239.208)

> I created virtual interfaces on eth1, one for each DNAT'ed ip.

Can you ping one of those addresses fom a machine directly connected to
eth1, qand then check the arp cache (arp -an under Linux) to be sure
that the IP / MAC address link is working correctly?

Yes I can ping these addresses. (without my iptables) With my rules it
doesn't work anymore.

> What am I missing ? Forget about normal tables stuff, I only want this

> machine to do DNAT.

What does "iptables -L -t nat -nvx" show you for the packet / byte
counters?    see below
Does it look like netfilter thinks it's doing any NAT?    yes ... I
guess. see below

I also ripped something frowm fwbuilder, adepted it a little bit .. this
is my new script.


#!/bin/bash
LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
LOGGER="/usr/bin/logger"
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl

$IPTABLES -P OUTPUT ACCEPT 
$IPTABLES -P INPUT   ACCEPT 
$IPTABLES -P FORWARD ACCEPT 

cat /proc/net/ip_tables_names | while read table; do
  $IPTABLES -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        $IPTABLES -t $table -F $chain
      fi
  done
  $IPTABLES -t $table -X
done

MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/" 
MODULES=`(cd $MODULE_DIR; ls *_conntrack_*  *_nat_* | sed 's/\.o.*$//;
s/\.ko$//')`
for module in $(echo $MODULES); do 
  if $LSMOD | grep ${module} >/dev/null; then continue; fi
  $MODPROBE ${module} ||  exit 1 
done

echo "Activating firewall script generated Thu Jun 10 15:03:22 2004 CEST
by root"

$IPTABLES -t nat -A PREROUTING -d 172.25.239.220/27 -j DNAT
--to-destination 11.0.0.16 
$IPTABLES -t nat -A OUTPUT -d 172.25.239.220/27 -j DNAT --to-destination
11.0.0.16 

$IPTABLES -A INPUT   -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -N RULE_0
$IPTABLES -A OUTPUT -d 11.0.0.16  -m state --state NEW  -j RULE_0 
$IPTABLES -A FORWARD -d 11.0.0.16  -m state --state NEW  -j RULE_0 
$IPTABLES -A RULE_0  -j LOG  --log-level info --log-prefix "RULE 0 --
ACCEPT " 
$IPTABLES -A RULE_0  -j ACCEPT 
echo 1 > /proc/sys/net/ipv4/ip_forward



thx Antony !
(nice quote)

--
If the human brain were so simple that we could understand it, we'd be
so simple that we couldn't.

                                                     Please reply to the
list;
                                                           please don't
CC me.

------------------------------------------------------------------------
---------------------------------------------


[root@linuxrouter root]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:E0:18:02:7E:9B  
          inet addr:11.0.0.3  Bcast:11.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4822 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:286513 (279.7 Kb)  TX bytes:6516 (6.3 Kb)
          Interrupt:5 Base address:0xd800 Memory:fb000000-fb000038 

eth1      Link encap:Ethernet  HWaddr 00:D0:B7:E0:1F:2C  
          inet addr:172.25.239.208  Bcast:172.25.239.223
Mask:255.255.255.224
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7342 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2091 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:629297 (614.5 Kb)  TX bytes:342349 (334.3 Kb)
          Interrupt:11 Base address:0xd400 Memory:fa000000-fa000038 

eth1:1    Link encap:Ethernet  HWaddr 00:D0:B7:E0:1F:2C  
          inet addr:172.25.239.220  Bcast:172.25.255.255
Mask:255.255.255.224
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:11 Base address:0xd400 Memory:fa000000-fa000038 

[root@linuxrouter root]# ping 11.0.0.16
PING 11.0.0.16 (11.0.0.16) 56(84) bytes of data.
64 bytes from 11.0.0.16: icmp_seq=1 ttl=128 time=0.261 ms


[root@linuxrouter root]# ping 172.25.239.220
PING 172.25.239.220 (172.25.239.220) 56(84) bytes of data.
64 bytes from 172.25.239.220: icmp_seq=1 ttl=128 time=0.264 ms


[root@linuxrouter root]# iptables -L -t nat -nvx
Chain PREROUTING (policy ACCEPT 16 packets, 3256 bytes)
    pkts      bytes target     prot opt in     out     source
destination         
      70    11224 DNAT       all  --  *      *       0.0.0.0/0
172.25.239.192/27  to:11.0.0.16 

Chain POSTROUTING (policy ACCEPT 19 packets, 6614 bytes)
    pkts      bytes target     prot opt in     out     source
destination         

Chain OUTPUT (policy ACCEPT 5 packets, 420 bytes)
    pkts      bytes target     prot opt in     out     source
destination         
       5      404 DNAT       all  --  *      *       0.0.0.0/0
172.25.239.192/27  to:11.0.0.16 

[root@linuxrouter root]# arp -an
? (172.25.239.201) at 00:30:05:11:F9:EA [ether] on eth1
? (172.25.239.193) at 00:60:47:40:F7:A5 [ether] on eth1
? (11.0.0.16) at 00:E0:18:02:38:60 [ether] on eth0

[BRUBARNA7M] D:\some_crapy\windows_box>ping 172.25.239.220

Pinging 172.25.239.220 with 32 bytes of data:

Request timed out.

Ping statistics for 172.25.239.220:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C

also ... even a ping to my normal host is not working anymore. (wich was
working without the tables)

[BRUBARNA7M] D:\some_crapy\windows_box>ping 172.25.239.208

Pinging 172.25.239.208 with 32 bytes of data:

Request timed out.

Ping statistics for 172.25.239.208:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

you should think it is my firewall ... but I accept everything ... :(

[root@linuxrouter root]# iptables -L -nvx
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source
destination         
     557    72706 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW,RELATED,ESTABLISHED 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source
destination         
     147    13879 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW,RELATED,ESTABLISHED 
       0        0 RULE_0     all  --  *      *       0.0.0.0/0
11.0.0.16          state NEW 

Chain OUTPUT (policy ACCEPT 1 packets, 152 bytes)
    pkts      bytes target     prot opt in     out     source
destination         
     269    31752 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          state NEW,RELATED,ESTABLISHED 
       0        0 RULE_0     all  --  *      *       0.0.0.0/0
11.0.0.16          state NEW 

Chain RULE_0 (2 references)
    pkts      bytes target     prot opt in     out     source
destination         
       0        0 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0          LOG flags 0 level 6 prefix `RULE 0 -- ACCEPT ' 
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0          

Re: DNAT question

[John A. Sullivan III]

On Mon, 2004-06-14 at 10:35, Arnauts, Bert wrote:
> Hello all,
> 
> I want to DNAT some machines in another subnet.
> The target machines have ip's like 11.0.0.x/24
> 
> My available lan ip's are 172.239.239.x/27 (255.255.255.224)
> 
> These are my rules. Wich are apparently not working.
> I created virtual interfaces on eth1, one for each DNAT'ed ip.
> 
> What am I missing ? Forget about normal tables stuff, I only want this
> machine to do DNAT.
> 
> Thx,
> 
> 
> INET_IP="172.25.239.208"
> INET_IFACE="eth1"
> INET_BROADCAST="172.25.239.223"
> LAN_IP="11.0.0.1"
> LAN_IP_RANGE="11.0.0.0/24"
> LAN_IFACE="eth0"
> LO_IFACE="lo"
> LO_IP="127.0.0.1"
> IPTABLES="/sbin/iptables"
> echo "1" > /proc/sys/net/ipv4/ip_forward
> $IPTABLES --flush
> $IPTABLES --table nat --flush
> $IPTABLES --delete-chain
> $IPTABLES --table nat --delete-chain
> $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source
> $INET_IP
> $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
> $IPTABLES -t nat -A PREROUTING -d 172.25.239.220/255.255.255.224 -j
> DNAT --to 11.0.0.9
In what way are they not working?
In this rule set you are saying that every packet going out eth1 should
have the source changed to the source of the gateway and all packets to
172.25.239.220/27 should have their DA changed to 11.0.0.9 regardless of
interface.  Is that what you want it to do?
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: DNAT question

[Antony Stone]

On Monday 14 June 2004 3:35 pm, Arnauts, Bert wrote:

> Hello all,
>
> I want to DNAT some machines in another subnet.
> The target machines have ip's like 11.0.0.x/24
>
> My available lan ip's are 172.239.239.x/27 (255.255.255.224)
>
> These are my rules. Wich are apparently not working.

How are you trying to test the rules?   What tells you they're not working?

Where are you testing from?

> I created virtual interfaces on eth1, one for each DNAT'ed ip.

Can you ping one of those addresses fom a machine directly connected to eth1, 
qand then check the arp cache (arp -an under Linux) to be sure that the IP / 
MAC address link is working correctly?

> What am I missing ? Forget about normal tables stuff, I only want this
> machine to do DNAT.

What does "iptables -L -t nat -nvx" show you for the packet / byte counters?   
Does it look like netfilter thinks it's doing any NAT?

> INET_IP="172.25.239.208"
> INET_IFACE="eth1"
> INET_BROADCAST="172.25.239.223"
> LAN_IP="11.0.0.1"
> LAN_IP_RANGE="11.0.0.0/24"
> LAN_IFACE="eth0"
> LO_IFACE="lo"
> LO_IP="127.0.0.1"
> IPTABLES="/sbin/iptables"
> echo "1" > /proc/sys/net/ipv4/ip_forward
> $IPTABLES --flush
> $IPTABLES --table nat --flush
> $IPTABLES --delete-chain
> $IPTABLES --table nat --delete-chain
> $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source
> $INET_IP
> $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
> $IPTABLES -t nat -A PREROUTING -d 172.25.239.220/255.255.255.224 -j DNAT
> --to 11.0.0.9

Try $IPTABLES -t nat -A PREROUTING -d 172.25.239.220/27 -j DNAT --to 11.0.0.9 
instead of the above netmask.

Regards,

Antony.

-- 
If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.

                                                     Please reply to the list;
                                                           please don't CC me.

DNAT question

[Arnauts, Bert]

[-- Attachment #1: Type: text/plain, Size: 977 bytes --]

Hello all,

I want to DNAT some machines in another subnet.
The target machines have ip's like 11.0.0.x/24

My available lan ip's are 172.239.239.x/27 (255.255.255.224)

These are my rules. Wich are apparently not working.
I created virtual interfaces on eth1, one for each DNAT'ed ip.

What am I missing ? Forget about normal tables stuff, I only want this
machine to do DNAT.

Thx,


INET_IP="172.25.239.208"
INET_IFACE="eth1"
INET_BROADCAST="172.25.239.223"
LAN_IP="11.0.0.1"
LAN_IP_RANGE="11.0.0.0/24"
LAN_IFACE="eth0"
LO_IFACE="lo"
LO_IP="127.0.0.1"
IPTABLES="/sbin/iptables"
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES --flush
$IPTABLES --table nat --flush
$IPTABLES --delete-chain
$IPTABLES --table nat --delete-chain
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source
$INET_IP
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -t nat -A PREROUTING -d 172.25.239.220/255.255.255.224 -j DNAT
--to 11.0.0.9


[-- Attachment #2: Type: text/html, Size: 2396 bytes --]

DNAT question

[Old Cowhand]

Hello everyone--

I have what should be a simple configuration for
proxy, but it doesn't seem to work, and I don't know
why.  I've reproduced the problem in multiple
locations with different 2.4 kernels.  Here's the test
layout in ASCII (I hope you're using monospaced
fonts!):

                                   |--Web server
       eth0                   eth1 |  192.168.64.15/24
PC---------------Linux 2.4.19-------
172.16.1.2/30    172.16.1.1/30     |
                 192.168.64.1/24   |--Web server
                                      192.168.64.5/24

My DNAT rule:

iptables -t nat -A PREROUTING -s 172.16.1.2 -d
192.168.64.5 -p tcp --dport 80 -j DNAT --to
192.168.64.15

In tcpdump, I see the HTTP request come from the PC
with a destination of .5 on eth0.  I see the DNAT rule
match in iptables -L -n -v -t nat.  I see the HTTP
request go on eth1 to .15 (DNAT rule works).  I see
the HTTP server at .15 reply to 172.16.1.2 on eth1. 
The data is dropped and never returned after that. 
The reply never appears on eth0.

ip_conntrack shows SYN_SENT [UNREPLIED] on that
connection.

A few notes:

1) The PC can talk directly to .15's Web server with
no problems.  Routing is just fine.

2) If I configure .5 on the Linux box and ditch the
second Web server, everything works normally.

3) The DNAT rule is the ONLY iptables rule in place.

4) I have no dynamic routing, proxy arp, route filters
or other configurations in place.  It's simple static
routing.

I'm stumped.  Ultimately, I want to be able to take IP
addresses for my customers and point any Web requests
to a server that returns a page saying "Sorry, you
didn't pay your bill."  That's why #2 above won't work
for me in the long run.

Does anyone have any ideas?

Thanks in advance,

Doug

__________________________________
Do you Yahoo!?
Yahoo! Search - Find what you’re looking for faster
http://search.yahoo.com

Re: dnat question

[Antony Stone]

On Tuesday 24 February 2004 4:18 am, John A. Sullivan III wrote:

> On Mon, 2004-02-23 at 16:23, John Black wrote:
> > Since i'm  running separate servers for FTP, Mail, and Web, and using
> > dnat to port forward to these machines. Do i need these ports open on the
> > firewall?
>
> I am not an expert on the inward workings of iptables but I would assume
> that you do.  The NAT targets will change the source and destination
> addresses but the packets (at least the first packet in the case of
> connection tracking) must traverse the FORWARD chain of the filter
> table.  It will pass through that table with the real address so there
> must be a rule to allow access to the real address.

What you say is correct - you must have a rule in the FORWARD chain to allow 
the packets through the firewall.

However, I think this is a very different thing from "having the ports open on 
the firewall", since to me this means that the firewall itself is listening 
on those ports.

Hopefully the combination of your explanation about the FORWARD chain and my 
previous explanation about not running local services has clarified things :)

Regards,

Antony.

-- 
Never write it in Perl if you can do it in Awk.
Never do it in Awk if sed can handle it.
Never use sed when tr can do the job.
Never invoke tr when cat is sufficient.
Avoid using cat whenever possible.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: dnat question

[Antony Stone]

On Monday 23 February 2004 9:23 pm, John Black wrote:

> Since i'm  running separate servers for FTP, Mail, and Web, and using dnat
> to port forward to these machines. Do i need these ports open on the
> firewall?

No.   You are not running the services on the firewall, therefore you don't 
need the ports open on the firewall.   The firewall is simply passing the 
packets on to somewhere else.

Antony.

-- 
Documentation is like sex.
When it's good, it's very very good.
When it's bad, it's still better than nothing.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: dnat question

[John A. Sullivan III]

On Mon, 2004-02-23 at 16:23, John Black wrote:
> Since i'm  running separate servers for FTP, Mail, and Web, and using dnat to
> port forward to these machines. Do i need these ports open on the firewall?
<snip>
I am not an expert on the inward workings of iptables but I would assume
that you do.  The NAT targets will change the source and destination
addresses but the packets (at least the first packet in the case of
connection tracking) must traverse the FORWARD chain of the filter
table.  It will pass through that table with the real address so there
must be a rule to allow access to the real address.

If someone tells you otherwise, listen to them :-)
-- 
Open Source Development Corporation
Financially Sustainable open source development
http://www.opensourcedevelopmentcorp.com

dnat question

[John Black]

Since i'm  running separate servers for FTP, Mail, and Web, and using dnat to
port forward to these machines. Do i need these ports open on the firewall?


john



http://www.arbbs.net/

Re: DNAT question..

[Rio Martin.]

On Thursday 24 July 2003 21:15, you wrote:
> Hi Federico,
> >    I think the problem is in the destination IP address, you have to use
> > the external IP, so i think the rule should be:
> > iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 211.1.1.10
> >    --dport 80 -j SNAT --to 192.168.1.1
> I don't think that's true in this case. As far as I know, after the
> destination address has been rewritten in PREROUTING, all subsequent hooks
> (FORWARD and POSTROUTING) will see the new destination address, not the
> original. But please correct me if I'm wrong.

Finally I found the answer to my own problem..  (:

# Rules that handles request to local webserver from outside
iptables -t nat -A PREROUTING -p tcp -d 211.1.1.10 --dport 80 -j DNAT --to 
192.168.1.2

# Rules that handles request from local network to local webserver
iptables -t nat -I POSTROUTING -p tcp -s 192.168.1.0/24 -d 192.168.1.2 --dport 
80 -j SNAT --to 211.1.1.10

Enter both rules, thats it ..
From local or outside i tried to surf http://211.1.1.10 and both request 
entered the webserver successfully.

Thanks for everyone helped me specially with " -I POSTROUTING " rules. That 
help much ..

Regards,
Rio Martin.
- 
"When in doubt, tell the truth."
		-- Mark Twain

Re: DNAT question..

[Chris Wilson]

Hi Federico,

>    I think the problem is in the destination IP address, you have to use the
> external IP, so i think the rule should be:
> 
> iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 211.1.1.10
>    --dport 80 -j SNAT --to 192.168.1.1

I don't think that's true in this case. As far as I know, after the
destination address has been rewritten in PREROUTING, all subsequent hooks
(FORWARD and POSTROUTING) will see the new destination address, not the
original. But please correct me if I'm wrong.

[By the way, you sent your reply to me, not to Rio or the Netfilter list.]

Cheers, Chris.
-- 
   ___ __     _
 / __// / ,__(_)_  | Chris Wilson -- UNIX Firewall Lead Developer |
/ (_ / ,\/ _/ /_ \ | NetServers.co.uk http://www.netservers.co.uk |
\ _//_/_/_//_/___/ | 21 Signet Court, Cambridge, UK. 01223 576516 |