From: "Arnauts, Bert" <Bert.Arnauts@fujitsu-siemens.com>
To: netfilter@lists.netfilter.org
Subject: RE: DNAT question
Date: Mon, 14 Jun 2004 19:05:51 +0200 [thread overview]
Message-ID: <519AD2BA94FC6E4DB5DE078B2E37CB10A37A8C@PDBEX01E.pdb.fsc.net> (raw)
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: Monday, June 14, 2004 4:51 PM
To: netfilter@lists.netfilter.org
Subject: Re: DNAT question
On Monday 14 June 2004 3:35 pm, Arnauts, Bert wrote:
> Hello all,
>
> I want to DNAT some machines in another subnet.
> The target machines have ip's like 11.0.0.x/24
>
> My available lan ip's are 172.239.239.x/27 (255.255.255.224)
>
> These are my rules. Wich are apparently not working.
How are you trying to test the rules? What tells you they're not
working?
Where are you testing from?
I am testing from a machine that can ping the nat box'es IP and I can
access all sorts of other systems services on that subnet.
(my nat box : 172.25.239.208)
> I created virtual interfaces on eth1, one for each DNAT'ed ip.
Can you ping one of those addresses fom a machine directly connected to
eth1, qand then check the arp cache (arp -an under Linux) to be sure
that the IP / MAC address link is working correctly?
Yes I can ping these addresses. (without my iptables) With my rules it
doesn't work anymore.
> What am I missing ? Forget about normal tables stuff, I only want this
> machine to do DNAT.
What does "iptables -L -t nat -nvx" show you for the packet / byte
counters? see below
Does it look like netfilter thinks it's doing any NAT? yes ... I
guess. see below
I also ripped something frowm fwbuilder, adepted it a little bit .. this
is my new script.
#!/bin/bash
LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
LOGGER="/usr/bin/logger"
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES=`(cd $MODULE_DIR; ls *_conntrack_* *_nat_* | sed 's/\.o.*$//;
s/\.ko$//')`
for module in $(echo $MODULES); do
if $LSMOD | grep ${module} >/dev/null; then continue; fi
$MODPROBE ${module} || exit 1
done
echo "Activating firewall script generated Thu Jun 10 15:03:22 2004 CEST
by root"
$IPTABLES -t nat -A PREROUTING -d 172.25.239.220/27 -j DNAT
--to-destination 11.0.0.16
$IPTABLES -t nat -A OUTPUT -d 172.25.239.220/27 -j DNAT --to-destination
11.0.0.16
$IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -N RULE_0
$IPTABLES -A OUTPUT -d 11.0.0.16 -m state --state NEW -j RULE_0
$IPTABLES -A FORWARD -d 11.0.0.16 -m state --state NEW -j RULE_0
$IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 --
ACCEPT "
$IPTABLES -A RULE_0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
thx Antony !
(nice quote)
--
If the human brain were so simple that we could understand it, we'd be
so simple that we couldn't.
Please reply to the
list;
please don't
CC me.
------------------------------------------------------------------------
---------------------------------------------
[root@linuxrouter root]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:E0:18:02:7E:9B
inet addr:11.0.0.3 Bcast:11.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4822 errors:0 dropped:0 overruns:0 frame:0
TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:286513 (279.7 Kb) TX bytes:6516 (6.3 Kb)
Interrupt:5 Base address:0xd800 Memory:fb000000-fb000038
eth1 Link encap:Ethernet HWaddr 00:D0:B7:E0:1F:2C
inet addr:172.25.239.208 Bcast:172.25.239.223
Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7342 errors:0 dropped:0 overruns:0 frame:0
TX packets:2091 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:629297 (614.5 Kb) TX bytes:342349 (334.3 Kb)
Interrupt:11 Base address:0xd400 Memory:fa000000-fa000038
eth1:1 Link encap:Ethernet HWaddr 00:D0:B7:E0:1F:2C
inet addr:172.25.239.220 Bcast:172.25.255.255
Mask:255.255.255.224
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:11 Base address:0xd400 Memory:fa000000-fa000038
[root@linuxrouter root]# ping 11.0.0.16
PING 11.0.0.16 (11.0.0.16) 56(84) bytes of data.
64 bytes from 11.0.0.16: icmp_seq=1 ttl=128 time=0.261 ms
[root@linuxrouter root]# ping 172.25.239.220
PING 172.25.239.220 (172.25.239.220) 56(84) bytes of data.
64 bytes from 172.25.239.220: icmp_seq=1 ttl=128 time=0.264 ms
[root@linuxrouter root]# iptables -L -t nat -nvx
Chain PREROUTING (policy ACCEPT 16 packets, 3256 bytes)
pkts bytes target prot opt in out source
destination
70 11224 DNAT all -- * * 0.0.0.0/0
172.25.239.192/27 to:11.0.0.16
Chain POSTROUTING (policy ACCEPT 19 packets, 6614 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 5 packets, 420 bytes)
pkts bytes target prot opt in out source
destination
5 404 DNAT all -- * * 0.0.0.0/0
172.25.239.192/27 to:11.0.0.16
[root@linuxrouter root]# arp -an
? (172.25.239.201) at 00:30:05:11:F9:EA [ether] on eth1
? (172.25.239.193) at 00:60:47:40:F7:A5 [ether] on eth1
? (11.0.0.16) at 00:E0:18:02:38:60 [ether] on eth0
[BRUBARNA7M] D:\some_crapy\windows_box>ping 172.25.239.220
Pinging 172.25.239.220 with 32 bytes of data:
Request timed out.
Ping statistics for 172.25.239.220:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
also ... even a ping to my normal host is not working anymore. (wich was
working without the tables)
[BRUBARNA7M] D:\some_crapy\windows_box>ping 172.25.239.208
Pinging 172.25.239.208 with 32 bytes of data:
Request timed out.
Ping statistics for 172.25.239.208:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
you should think it is my firewall ... but I accept everything ... :(
[root@linuxrouter root]# iptables -L -nvx
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
557 72706 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW,RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
147 13879 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 RULE_0 all -- * * 0.0.0.0/0
11.0.0.16 state NEW
Chain OUTPUT (policy ACCEPT 1 packets, 152 bytes)
pkts bytes target prot opt in out source
destination
269 31752 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW,RELATED,ESTABLISHED
0 0 RULE_0 all -- * * 0.0.0.0/0
11.0.0.16 state NEW
Chain RULE_0 (2 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix `RULE 0 -- ACCEPT '
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
next reply other threads:[~2004-06-14 17:05 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-14 17:05 Arnauts, Bert [this message]
-- strict thread matches above, loose matches on Subject: below --
2006-02-14 20:48 dnat question James Edward Stickland
2006-02-15 0:23 ` Edmundo Carmona
2005-10-07 3:32 Gene Dellinger
2004-06-14 14:35 DNAT question Arnauts, Bert
2004-06-14 14:51 ` Antony Stone
2004-06-14 15:12 ` John A. Sullivan III
2004-06-15 11:40 ` John A. Sullivan III
2004-03-12 2:14 Old Cowhand
2004-02-23 21:23 dnat question John Black
2004-02-24 4:18 ` John A. Sullivan III
2004-02-25 15:48 ` Antony Stone
2004-02-24 8:56 ` Antony Stone
[not found] <3F1FDDFB.469242E1@goyaike.com>
2003-07-24 14:15 ` DNAT question Chris Wilson
2003-07-25 2:41 ` Rio Martin.
2003-07-24 7:00 Rio Martin.
2003-07-24 8:29 ` Philip Craig
2003-07-24 8:56 ` Rio Martin.
2003-07-24 9:42 ` Chris Wilson
2003-07-24 13:37 ` Gonzalez, Federico
2003-07-24 14:16 ` Cedric Blancher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=519AD2BA94FC6E4DB5DE078B2E37CB10A37A8C@PDBEX01E.pdb.fsc.net \
--to=bert.arnauts@fujitsu-siemens.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.