[gentoo-user] destination nat (port forwarding)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Gentooers... I'm trying to do port forwarding in my box... which has a dynamic ip address and a local ip address of 10.0.0.1. I want to redirect, for example, the incoming telnet port to another ip at the local network, latter I want to do the same with a range of ports (is that posible). I'm trying to do it with iptables destination nat, I created this rule Chain PREROUTING (policy ACCEPT 9177 packets, 1980K bytes) pkts bytes target prot opt in out source destination 8 480 DNAT tcp -- anyany anywhere anywhere tcp dpt:telnet to:10.0.0.4:23 with this command iptables -t nat -A PREROUTING -p tcp --dport 23 -j DNAT - --to 10.0.0.4:23 When I telnet to the routing box, I see that the counters for that rule are incremented, so, it seems to be working, but I was told, that I'm missing, a rule, that NATs the packets back... but I'm not sure how to make that rule, can anyone help me ? Thanks - -- Pupeno: [EMAIL PROTECTED] http://www.kde.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/VbWlLr8z5XzmSDQRAjpzAJwKkSohD9AiC4fWNTMKmH2Ubt4FZQCfUkww kWSdPzD47NAghQdnl6DE59U= =qhd+ -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] destination nat (port forwarding)
On Wed, 3 Sep 2003 06:34:27 -0300 Pupeno [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Gentooers... I'm trying to do port forwarding in my box... which has a dynamic ip address and a local ip address of 10.0.0.1. I want to redirect, for example, the incoming telnet port to another ip at the local network, latter I want to do the same with a range of ports (is that posible). I'm trying to do it with iptables destination nat, I created this rule Chain PREROUTING (policy ACCEPT 9177 packets, 1980K bytes) pkts bytes target prot opt in out source destination 8 480 DNAT tcp -- anyany anywhere anywhere tcp dpt:telnet to:10.0.0.4:23 with this command iptables -t nat -A PREROUTING -p tcp --dport 23 -j DNAT - --to 10.0.0.4:23 When I telnet to the routing box, I see that the counters for that rule are incremented, so, it seems to be working, but I was told, that I'm missing, a rule, that NATs the packets back... but I'm not sure how to make that rule, can anyone help me ? Thanks the only thing, that comes to my mind is, that you have to activate masquerading for outgoing packets and allow forwarding of established connections: iptables -t nat -A POSTROUTING -o outgoing device -j MASQUERADE iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT that should do the thing... greetings, tom -- Interviewer: So, do you ever think about Al Gore? Bush: Why? What do you mean? Interviewer: Do you ever wonder what he's up to and think about last Fall? Bush: Not really. George W. Bush August 10, 2001 Being interviewed by an ABC News correspondent at his ranch in Crawford, Texas. pgp0.pgp Description: PGP signature
Re: [gentoo-user] destination nat (port forwarding)
On Wednesday 03 September 2003 05:34 am, Pupeno wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Gentooers... I'm trying to do port forwarding in my box... which has a dynamic ip address and a local ip address of 10.0.0.1. I want to redirect, for example, the incoming telnet port to another ip at the local network, latter I want to do the same with a range of ports (is that posible). I'm trying to do it with iptables destination nat, I created this rule Chain PREROUTING (policy ACCEPT 9177 packets, 1980K bytes) pkts bytes target prot opt in out source destination 8 480 DNAT tcp -- anyany anywhere anywhere tcp dpt:telnet to:10.0.0.4:23 with this command iptables -t nat -A PREROUTING -p tcp --dport 23 -j DNAT - --to 10.0.0.4:23 When I telnet to the routing box, I see that the counters for that rule are incremented, so, it seems to be working, but I was told, that I'm missing, a rule, that NATs the packets back... but I'm not sure how to make that rule, can anyone help me ? Thanks - -- Pupeno: [EMAIL PROTECTED] http://www.kde.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/VbWlLr8z5XzmSDQRAjpzAJwKkSohD9AiC4fWNTMKmH2Ubt4FZQCfUkww kWSdPzD47NAghQdnl6DE59U= =qhd+ -END PGP SIGNATURE- The first thing I'd say is Don't open your system to telnet from the outside! Use SSH instead! The second thing would be to point you to floppyfw. floppyfw is a single-floppy distribution of Linux made to run on firewalls/routers. Their site is at: http://www.zelow.no/floppyfw/ I'm not suggesting that you have to use floppyfw at your site, although I use it and like it. But you should check out their HOWTO page, especially this link: http://www.zelow.no/floppyfw/download/HOWTOS/ffw-3ethernets-multi_ip-howto.txt It sounds like it may be related to what you're trying to do. --Tony -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] destination nat (port forwarding)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday September 3 2003 09:58, Thomas Schneider wrote: On Wed, 3 Sep 2003 06:34:27 -0300 Pupeno [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Gentooers... I'm trying to do port forwarding in my box... which has a dynamic ip address and a local ip address of 10.0.0.1. I want to redirect, for example, the incoming telnet port to another ip at the local network, latter I want to do the same with a range of ports (is that posible). I'm trying to do it with iptables destination nat, I created this rule Chain PREROUTING (policy ACCEPT 9177 packets, 1980K bytes) pkts bytes target prot opt in out source destination 8 480 DNAT tcp -- anyany anywhere anywhere tcp dpt:telnet to:10.0.0.4:23 with this command iptables -t nat -A PREROUTING -p tcp --dport 23 -j DNAT - --to 10.0.0.4:23 When I telnet to the routing box, I see that the counters for that rule are incremented, so, it seems to be working, but I was told, that I'm missing, a rule, that NATs the packets back... but I'm not sure how to make that rule, can anyone help me ? Thanks the only thing, that comes to my mind is, that you have to activate masquerading for outgoing packets and allow forwarding of established connections: iptables -t nat -A POSTROUTING -o outgoing device -j MASQUERADE iptables -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT I already have those: Chain POSTROUTING (policy ACCEPT 261 packets, 15968 bytes) pkts bytes target prot opt in out source destination 2412 147K MASQUERADE all -- anyeth1anywhere anywhere and Chain FORWARD (policy DROP 29 packets, 1668 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- anyany anywhere anywhere state INVALID 139K 180M ACCEPT all -- eth1 eth0anywhere anywhere state RELATED,ESTABLISHED 139K 8170K ACCEPT all -- eth0 eth1anywhere anywhere as well as Chain INPUT (policy DROP 4824 packets, 773K bytes) pkts bytes target prot opt in out source destination 209 18037 ACCEPT all -- lo any anywhere anywhere 119K 11M ACCEPT all -- eth0 any anywhere anywhere 109K 101M ACCEPT all -- eth1 any anywhere anywhere state RELATED,ESTABLISHED 9 540 ACCEPT tcp -- eth1 any anywhere anywhere tcp dpt:ssh 0 0 ACCEPT tcp -- eth1 any anywhere anywhere tcp dpt:telnet am I still missing something ? Thanks. (feel free to test it, by telneting to lab.pupeno.com) - -- Pupeno: [EMAIL PROTECTED] http://www.kde.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/VcKvLr8z5XzmSDQRAgFeAJwMk8kq3lVGaak0TuLJg5toF7Di7gCfTdeO GVNJH5QkFno6/1JtuPDcZes= =S/Tc -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] destination nat (port forwarding)
On Wed, 3 Sep 2003 07:30:05 -0300 Pupeno [EMAIL PROTECTED] wrote: and Chain FORWARD (policy DROP 29 packets, 1668 bytes) pkts bytes target prot opt in out source destination 139K 180M ACCEPT all -- eth1 eth0anywhere anywhere state RELATED,ESTABLISHED i think you have to forward new connections from outside the world on port 23. greetz, tom -- We're going to have the best educated American people in the world. George W. Bush September 21, 1997 pgp0.pgp Description: PGP signature
Re: [gentoo-user] destination nat (port forwarding)
I'm trying to do it with iptables destination nat, I created this rule Chain PREROUTING (policy ACCEPT 9177 packets, 1980K bytes) pkts bytes target prot opt in out source destination 8 480 DNAT tcp -- anyany anywhere anywhere tcp dpt:telnet to:10.0.0.4:23 with this command iptables -t nat -A PREROUTING -p tcp --dport 23 -j DNAT - --to 10.0.0.4:23 When I telnet to the routing box, I see that the counters for that rule are incremented, so, it seems to be working, but I was told, that I'm missing, a rule, that NATs the packets back... but I'm not sure how to make that rule, can anyone help me ? iptable should route the packets coming back without any other instruction. emerge ethereal and look at the traffic going through your box. Does the SYN goes to the LAN's box? Does a SYN ACK comes back? Can you ping the LAN's box from the router and vice-versa? And don't use masquerading, that's not what you need. -- mathieu -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] destination nat (port forwarding)
On Wed, 3 Sep 2003 16:08:44 +0200 [ staff ] - Mathieu Perrenoud [EMAIL PROTECTED] wrote: I'm trying to do it with iptables destination nat, I created this rule Chain PREROUTING (policy ACCEPT 9177 packets, 1980K bytes) pkts bytes target prot opt in out source destination 8 480 DNAT tcp -- anyany anywhere anywhere tcp dpt:telnet to:10.0.0.4:23 with this command iptables -t nat -A PREROUTING -p tcp --dport 23 -j DNAT- --to 10.0.0.4:23 When I telnet to the routing box, I see that the counters for that rule are incremented, so, it seems to be working, but I was told, that I'm missing, a rule, that NATs the packets back... but I'm not sure how to make that rule, can anyone help me ? iptable should route the packets coming back without any other instruction. emerge ethereal and look at the traffic going through your box. Does the SYN goes to the LAN's box? Does a SYN ACK comes back? Can you ping the LAN's box from the router and vice-versa? And don't use masquerading, that's not what you need. but afaik you need masquerading for the outgoing packets 'cause they would have the internal address, if you don't masquerade them? did i understand this in a wrong way? greetings, tom -- We have struggled to not proceed, but to precede to the future of a nation's child. George W. Bush November 12, 2000 Quoted in the Journal Gazette. pgp0.pgp Description: PGP signature
Re: [gentoo-user] destination nat (port forwarding)
On Wednesday 03 September 2003 04:13 pm, Thomas Schneider wrote: but afaik you need masquerading for the outgoing packets 'cause they would have the internal address, if you don't masquerade them? did i understand this in a wrong way? you need masq if you want lan boxes to see the net, but dnat-ing telnet shouldn't need masq to route packets back. -- mathieu -- [EMAIL PROTECTED] mailing list
RE: [gentoo-user] destination nat (port forwarding)
Here, iptables -I FORWARD -p tcp -d $destip --dport $destport -j ACCEPT iptables -I FORWARD -p udp -d $destip --dport $destport -j ACCEPT iptables -t nat -A PREROUTING -p tcp -i $interface --dport $fwport -j DNAT --to $destip:$destport iptables -t nat -A PREROUTING -p udp -i $interface --dport $fwport -j DNAT --to $destip:$destport The above script came with my firewall.. Just put your info in the variables and it will work. Thanks, Jeff -Original Message- From: Pupeno [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 03, 2003 4:34 AM To: [EMAIL PROTECTED] Subject: [gentoo-user] destination nat (port forwarding) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Gentooers... I'm trying to do port forwarding in my box... which has a dynamic ip address and a local ip address of 10.0.0.1. I want to redirect, for example, the incoming telnet port to another ip at the local network, latter I want to do the same with a range of ports (is that posible). I'm trying to do it with iptables destination nat, I created this rule Chain PREROUTING (policy ACCEPT 9177 packets, 1980K bytes) pkts bytes target prot opt in out source destination 8 480 DNAT tcp -- anyany anywhere anywhere tcp dpt:telnet to:10.0.0.4:23 with this command iptables -t nat -A PREROUTING -p tcp --dport 23 -j DNAT - --to 10.0.0.4:23 When I telnet to the routing box, I see that the counters for that rule are incremented, so, it seems to be working, but I was told, that I'm missing, a rule, that NATs the packets back... but I'm not sure how to make that rule, can anyone help me ? Thanks - -- Pupeno: [EMAIL PROTECTED] http://www.kde.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/VbWlLr8z5XzmSDQRAjpzAJwKkSohD9AiC4fWNTMKmH2Ubt4FZQCfUkww kWSdPzD47NAghQdnl6DE59U= =qhd+ -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list