[Firewall] Port forwarding and Transparent DNAT question

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Tue Nov 13 04:54:06 MST 2007


And if you make it:

iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 25 -j DNAT 
--to-destination 192.168.55.1
iptables -A FORWARD -p tcp --dport 25 -d 1.2.3.4 -j ACCEPT


Does this work or do you say any ie. packet drop in the firewall log?

a.

Andy wrote:
> Hi Arno,
> No that line is accepted, no kernel errors but also no luck with the 
> forwarding, it just times out.
> 
> Regards,
> 
> Andy
> 
> 
> Arno van Amersfoort wrote:
>> And if you make it even more simple like:
>>
>> iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 25 -j DNAT 
>> --to-destination 192.168.55.1
>>
>> (without the trailing :25)
>>
>> Do you get the exact same message in your kernel log?
>>
>> a.
>>
>> Andy Brown wrote:
>>> Cheers for the effort as always :)
>>>
>>> Unfortunately not, I modified that line as it initially failed, so trying:
>>>
>>> iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 25 -j DNAT 
>>> --to-destination 192.168.55.1:25
>>>
>>> Still no luck with that unfortunately.
>>>
>>> Regards,
>>> Andy
>>>
>>>
>>>
>>> Arno van Amersfoort wrote:
>>>> And if you try:
>>>> iptables -t nat -A PREROUTING -d 1.2.3.4 --dport 25 -j DNAT 
>>>> --to-destination 192.168.55.1:25
>>>>
>>>> Does this fix the problem?
>>>>
>>>> If so, I need to update the plugin, so please let me know your findings.
>>>>
>>>> a.
>>>>
>>>> Andy wrote:
>>>>> Hi all,
>>>>> Having come back to the scripts from using pfsense, due to it being very 
>>>>> inflexible and several problems with ipsec VPNs, I'm using these 
>>>>> excellent scripts.
>>>>> I do have one query, I'm using the transparent DNAT and cannot quite get 
>>>>> it to do what I want.
>>>>>
>>>>> My firewall is on external 1.2.3.4 for example and internal IP 192.168.55.2
>>>>> My LAN server is on 192.168.55.1
>>>>> So my firewall points port 80 25 and 143 to 192.168.55.1 via NAT rules.
>>>>>
>>>>> Now, I have added in transparent DNAT as I'd like to be able to connect 
>>>>> to 1.2.3.4 port 143 whilst internal to my network. My dnat settings are:
>>>>> ENABLED=1
>>>>> DNAT_MY_INTERNAL_IP="192.168.55.2"
>>>>> DNAT_MY_EXTERNAL_IP="195.97.244.58"
>>>>> DNAT_TCP_PORTS="25,80,143"
>>>>> DNAT_UDP_PORTS=""
>>>>>
>>>>> I have also tried setting my internal IP to 192.168.55.1 and still no luck.
>>>>>
>>>>> Trying things manually, if I paste a rule:
>>>>> iptables -t nat -A OUTPUT -d 1.2.3.4 -p tcp --dport 25 -j DNAT 
>>>>> --to-destination 192.168.55.1:25
>>>>>
>>>>> Then try connecting, I've noticed this in my kernel logs:
>>>>>
>>>>> Nov  4 20:46:17 voyage kernel: NAT: no longer support implicit source 
>>>>> local NAT
>>>>> Nov  4 20:46:17 voyage kernel: NAT: packet src 192.168.55.2 -> dst 1.2.3.4
>>>>>
>>>>> Which looks bad, is this something that has changed and causes 
>>>>> transparent DNAT not to work anymore with these kernels??
>>>>>
>>>>> Any adbvice please guys? I'd rather not have to put an internal DNS 
>>>>> intercept/hack to solve this problem if at all possible :)
>>>>>
>>>>>
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at lists.btito.net
>>> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>>
> 
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list