forwarding iptable packets

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

forwarding iptable packets

Jon Miller-5
I'm having a major problem trying to forward packets from either a workstation of the LAn to the Internet.
I want to be sure I'm doing this correctly.

I set a forward rule:
$IPT -A FORWARD -i $INT_IFACE -o eth1 -p tcp --dport 1262 -j ACCEPT

Then I set a PREROUTING rule
$IPT -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT --to-destination 192.168.xxx.xxx

All I can see using tethereal on the network is SYN packets.

Any idea what I'm doing wrong?

Thanks

Reply | Threaded
Open this post in threaded view
|

Re: forwarding iptable packets

Edward J. Shornock-2
On Thu, Feb 02, 2006 at 07:11:07AM +0800, Jon  Miller wrote:
> I'm having a major problem trying to forward packets from either a
> workstation of the LAn to the Internet.  I want to be sure I'm doing
> this correctly.

> I set a forward rule:
> $IPT -A FORWARD -i $INT_IFACE -o eth1 -p tcp --dport 1262 -j ACCEPT
>
> Then I set a PREROUTING rule
> $IPT -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT --to-destination 192.168.xxx.xxx
>
> All I can see using tethereal on the network is SYN packets.
>
> Any idea what I'm doing wrong?

try
$IPT -t nat -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT
--to-destination 192.168.xxx.xxx

The forward rule looks OK.

signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: forwarding iptable packets

anoop aryal
On Wednesday 01 February 2006 01:18 am, Edward Shornock wrote:

> On Thu, Feb 02, 2006 at 07:11:07AM +0800, Jon  Miller wrote:
> > I'm having a major problem trying to forward packets from either a
> > workstation of the LAn to the Internet.  I want to be sure I'm doing
> > this correctly.
> >
> > I set a forward rule:
> > $IPT -A FORWARD -i $INT_IFACE -o eth1 -p tcp --dport 1262 -j ACCEPT
> >
> > Then I set a PREROUTING rule
> > $IPT -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT
> > --to-destination 192.168.xxx.xxx
> >
> > All I can see using tethereal on the network is SYN packets.
> >
> > Any idea what I'm doing wrong?
>
> try
> $IPT -t nat -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT
> --to-destination 192.168.xxx.xxx
>
> The forward rule looks OK.

if it's *from* the LAN *to* the internet, shouldn't it be:

if you have a static outside IP
$IPT -t nat -A POSTROUTING -o $EXT_IFACE -p tcp --dport 1262 -j DNAT
--to-source $EXT_IP

or, if your outside IP is dhcp assigned
$IPT -t nat -A POSTROUTING -o $EXT_IFACE -p tcp --dport 1262 -j MASQUERADE

-anoop.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: forwarding iptable packets

anoop aryal
On Wednesday 01 February 2006 11:32 am, anoop aryal wrote:

> On Wednesday 01 February 2006 01:18 am, Edward Shornock wrote:
> > On Thu, Feb 02, 2006 at 07:11:07AM +0800, Jon  Miller wrote:
> > > I'm having a major problem trying to forward packets from either a
> > > workstation of the LAn to the Internet.  I want to be sure I'm doing
> > > this correctly.
> > >
> > > I set a forward rule:
> > > $IPT -A FORWARD -i $INT_IFACE -o eth1 -p tcp --dport 1262 -j ACCEPT
> > >
> > > Then I set a PREROUTING rule
> > > $IPT -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT
> > > --to-destination 192.168.xxx.xxx
> > >
> > > All I can see using tethereal on the network is SYN packets.
> > >
> > > Any idea what I'm doing wrong?
> >
> > try
> > $IPT -t nat -A PREROUTING -i $EXT_IFACE -p tcp --dport 1262 -j DNAT
> > --to-destination 192.168.xxx.xxx
> >
> > The forward rule looks OK.
>
> if it's *from* the LAN *to* the internet, shouldn't it be:
>
> if you have a static outside IP
> $IPT -t nat -A POSTROUTING -o $EXT_IFACE -p tcp --dport 1262 -j DNAT
> --to-source $EXT_IP

woops,
make that:
$IPT -t nat -A POSTROUTING -o $EXT_IFACE -p tcp --dport 1262 -j SNAT
--to-source $EXT_IP


> or, if your outside IP is dhcp assigned
> $IPT -t nat -A POSTROUTING -o $EXT_IFACE -p tcp --dport 1262 -j MASQUERADE
>
> -anoop.


--
To UNSUBSCRIBE, email to [hidden email]
with a subject of "unsubscribe". Trouble? Contact [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: forwarding iptable packets

Edward J. Shornock-2
In reply to this post by anoop aryal
On Wed, Feb 01, 2006 at 11:32:08AM -0600, anoop aryal wrote:
> if it's *from* the LAN *to* the internet, shouldn't it be:
[..]

Oops...I misread that.  Yeah, he's probably missing the SNAT or
MASQUERADE target if he's trying to get *out* to the Internet. If I
properly read the OP the first time, my reply would have been quite
different.

Assuming the OP wanted to forward ports from the *outside* to the
*inside*, something like this would work.

$IPT -t nat -A PREROUTING -p tcp -i $external_iface \
 -d $external_ip --dport 80 --sport 1024:65535 -j DNAT \
 --to $webserver:80
$IPT -A FORWARD -p tcp -i $external_iface -o $internal_iface \
 -d $webserver --dport 80 --sport 1024:65535 -m state \
 --state NEW,ESTABLISHED,RELATED -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

...but even with the port forwarding you'd still need to do as anoop
suggested.

# Uncomment the following line if your external IP address is dynamic
# $IPT -t nat -A POSTROUTING -o $external_iface -j MASQUERADE
# Uncomment the following line if your external IP address is static
# $IPT -t nat -A POSTROUTING -o $external_iface -j SNAT --to-source $external_ip

signature.asc (196 bytes) Download Attachment