IPTables 1.2.5 on kernel 2.4.17 DNAT not working for me. Help!

Tue, 26 Feb 2002 14:20:38 -0800 

Hi all,

If I were any dumber, scientists would want to examine by brain.

Please view this message in a fixed-width font, so you can see the ASCII 
art.  Box C is a client machine.  Box F is the firewall, and Box W is the 
web server.


                C
        +--------------+
     |--|141.140.200.5 |
     |  +--------------+
     |
     |
     |          F
     |  +--------------+
     |--|141.140.200.20|              W
        +              +      +--------------+
        |141.140.1.10  |------|141.140.1.18  |
        +--------------+      +--------------+



Goal:  No matter what HTTP URL the client C types, his web browser ends up 
at Box W.  I had this working at one point, months ago, and have lost my 
notes.  I am now too dumb to get it going again.  Strangely, I don't 
remember this as having been too difficult.

SysInfo: Firewall is RH 7.2 with kernel 2.4.17.  IPTABLES is v1.2.5, 
installed from the source, then the kernel recompiled.

Current setup:
[root@dormsfw root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere           udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:domain
ACCEPT     tcp  --  141.140.200.5        anywhere           tcp spt:ssh
ACCEPT     tcp  --  141.140.200.5        anywhere           tcp dpt:ssh

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@dormsfw root]#

That allows DNS and ssh traffic only, and works.  So far so good.  Now I 
try adding the HTTP URL redirect stuff:

[root@dormsfw root]# iptables -L --line-numbers -t nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    DNAT       tcp  --  141.140.200.5        anywhere           tcp 
dpt:http to:141.140.1.18
2    DNAT       udp  --  141.140.200.5        anywhere           udp 
dpt:http to:141.140.1.18

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
[root@dormsfw root]#

And lastly I add a forward rule so the DNATted stuff can go through:
[root@dormsfw root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere           udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:domain
ACCEPT     tcp  --  141.140.200.5        anywhere           tcp spt:ssh
ACCEPT     tcp  --  141.140.200.5        anywhere           tcp dpt:ssh
ACCEPT     tcp  --  141.140.200.5        anywhere           tcp dpt:http
ACCEPT     udp  --  141.140.200.5        anywhere           udp dpt:http

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@dormsfw root]#

But this doesn't work.  Any attempts to access 141.140.1.18:80 work, and 
any attempts to access any other site:80 just hang.

Help!  I just don't see what I am missing.  It looks like this ought to 
rewrite the destination address & forward the packet.  Why doesn't it?

Thanks in advance,
Ted Fines

Reply via email to