Re: iptables port fowarding?
Em Dom, 2002-02-17 às 20:55, Rick Pasotto escreveu: > On Sun, Feb 17, 2002 at 03:43:25AM -0800, Jeremy T. Bouse wrote: > > On Sun, Feb 17, 2002 at 12:37:08AM -0500, Rick Pasotto wrote: > > > How do I port forward with iptables? With ipchains the command was: > > > > > > ipmasqadm portfw -a -P tcp -L $extip $port -R $intip $port > > > > What I have in my firewall rules script built with Firewall > > Builder 1.0.0 (fwbuilder) to do port forwarding is: > > > > iptables -t nat -A PREROUTING -p tcp -s -d > > --destination-port -j DNAT --to-destination : > > > > This works very good... In fact all my machines are behind the > > firewall and only have what ports are forward'd in available... > > OK. Here is the rule I used: > > iptables -t nat -A PREROUTING -p tcp -s 64.34.82.201 -d 192.168.0.1 > --destination-port 2047 -j DNAT --to-destination 192.168.0.5:2047 > > When I activate the program on the windows box (192.168.0.5) tcpdump > reports lots of hits on eth0 port 2047 but nothing on eth1 port 2047 > and the program doesn't respond like it should. > Your rule is for connections originating at ip 64.34.82.201 with destination to port 2047 on 192.168.0.1 which is nearly to impossible since the 192.168 is not visible to 64.34.82.201. + it seems you want to do somethin originating at 192.168.0.5 while this is the final destination of your routing. What you meant is probably any source (omit the -s) -d 64.34.82.201 (if this is the public IP of your frontend) remainder seems fine. > What am I misunderstanding? Does it matter whether the SNAT (to do > masquerading) or the DNAT rule comes first? > No PREROUTING (dnat) is always treated before POSTROUTING (snat) > Also, how do you list the nat chains? 'iptables -L' only lists the > filter chains. > iptables -L -t nat Michel. > -- > If each man has the right to defend, even by force, his person, > his liberty, and his property, several men have the right to get > together, come to an understanding, and organize a collective > force to provide regularly for this defense. > -- Frédéric Bastiat (1801-1850) > Rick Pasotto[EMAIL PROTECTED]http://www.niof.net > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: iptables port fowarding?
On Sun, Feb 17, 2002 at 06:55:08PM -0500, Rick Pasotto wrote: > On Sun, Feb 17, 2002 at 03:43:25AM -0800, Jeremy T. Bouse wrote: > > On Sun, Feb 17, 2002 at 12:37:08AM -0500, Rick Pasotto wrote: > > > How do I port forward with iptables? With ipchains the command was: > > > > > > ipmasqadm portfw -a -P tcp -L $extip $port -R $intip $port > > > > iptables -t nat -A PREROUTING -p tcp -s -d > > --destination-port -j DNAT --to-destination : > > > iptables -t nat -A PREROUTING -p tcp -s 64.34.82.201 -d 192.168.0.1 > --destination-port 2047 -j DNAT --to-destination 192.168.0.5:2047 > Okay this states it will only port forward if the packet is being sent from 64.34.82.201 destined for 192.168.0.1 then redirect it to 192.168.0.5:2047 If I understand your intent I'm assuming 64.34.82.201 is your external public IP and you want any connection attempt to port 2047/tcp to go to 192.168.0.5 on the same port... In that case I would use: iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 64.34.82.201 \ --destination-port 2046 -j DNAT --to-destination 192.168.0.5 Assuming that 192.168.0.1 is the internal IP on the same box that has the external IP 64.23.82.201... If this isn't correct you'd be welcome to contact me privately and I can try helping you out... I have 5 static public addresses that I NAT into my network using private IPs with a rather extensive set of rules... > When I activate the program on the windows box (192.168.0.5) tcpdump > reports lots of hits on eth0 port 2047 but nothing on eth1 port 2047 > and the program doesn't respond like it should. > > What am I misunderstanding? Does it matter whether the SNAT (to do > masquerading) or the DNAT rule comes first? > Doesn't matter whether SNAT/Masq comes before DNAT as far as I am aware as DNAT is done PREROUTING and SNAT/Masq is done POSTROUTING... In this case remember that DNAT rules will be tried before it has applied any SNAT/Masq rules... The only order to keep in mind is that the rules on each table are check'd in the order they are added to the chain... It will match the first rule it encounters so that order is important... > Also, how do you list the nat chains? 'iptables -L' only lists the > filter chains. > If you do a 'iptables -t nat -L' you can list the NAT tables... 'iptables -L' is the same as 'iptables -t filter -L' which is only the policy rules... Respectfully, Jeremy
Re: iptables port fowarding?
On Sun, Feb 17, 2002 at 03:43:25AM -0800, Jeremy T. Bouse wrote: > On Sun, Feb 17, 2002 at 12:37:08AM -0500, Rick Pasotto wrote: > > How do I port forward with iptables? With ipchains the command was: > > > > ipmasqadm portfw -a -P tcp -L $extip $port -R $intip $port > > What I have in my firewall rules script built with Firewall > Builder 1.0.0 (fwbuilder) to do port forwarding is: > > iptables -t nat -A PREROUTING -p tcp -s -d > --destination-port -j DNAT --to-destination : > > This works very good... In fact all my machines are behind the > firewall and only have what ports are forward'd in available... OK. Here is the rule I used: iptables -t nat -A PREROUTING -p tcp -s 64.34.82.201 -d 192.168.0.1 --destination-port 2047 -j DNAT --to-destination 192.168.0.5:2047 When I activate the program on the windows box (192.168.0.5) tcpdump reports lots of hits on eth0 port 2047 but nothing on eth1 port 2047 and the program doesn't respond like it should. What am I misunderstanding? Does it matter whether the SNAT (to do masquerading) or the DNAT rule comes first? Also, how do you list the nat chains? 'iptables -L' only lists the filter chains. -- If each man has the right to defend, even by force, his person, his liberty, and his property, several men have the right to get together, come to an understanding, and organize a collective force to provide regularly for this defense. -- Frédéric Bastiat (1801-1850) Rick Pasotto[EMAIL PROTECTED]http://www.niof.net
Re: iptables port fowarding?
* Rick Pasotto ([EMAIL PROTECTED]) [020216 21:40]: > How do I port forward with iptables? With ipchains the command was: > > ipmasqadm portfw -a -P tcp -L $extip $port -R $intip $port Try this: iptables -t nat -A PREROUTING -p tcp -d $extip --dport $port \ -j DNAT --to-destination $intip Check out the iptables manpage for more help. (try searching for DNAT). good times, Vineet -- Currently seeking opportunities in the SF Bay Area Please see http://www.doorstop.net/resume/ -- Satan laughs when we kill each other. Peace is the only way. pgpb7XJQqtD4E.pgp Description: PGP signature
Re: iptables port fowarding?
On Sun, Feb 17, 2002 at 12:37:08AM -0500, Rick Pasotto wrote: > How do I port forward with iptables? With ipchains the command was: > > ipmasqadm portfw -a -P tcp -L $extip $port -R $intip $port > What I have in my firewall rules script built with Firewall Builder 1.0.0 (fwbuilder) to do port forwarding is: iptables -t nat -A PREROUTING -p tcp -s -d --destination-port -j DNAT --to-destination : This works very good... In fact all my machines are behind the firewall and only have what ports are forward'd in available... Jeremy
iptables port fowarding?
How do I port forward with iptables? With ipchains the command was: ipmasqadm portfw -a -P tcp -L $extip $port -R $intip $port -- "Once the principle of government -- judicial monopoly and the power to tax -- is incorrectly accepted as just, any notion of restraining government power and safeguarding individual liberty and property is illusory." -- Hans-Herman Hoppe Rick Pasotto[EMAIL PROTECTED]http://www.niof.net