[Firewall] Port forwarding and Transparent DNAT question

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Wed Nov 14 06:41:14 MST 2007


What is your kernel version?

a.

Andy wrote:
> Both commands are accepted, but upon trying, nothing back, and nothing 
> in the firewall logs.
>
> Thank you for trying, it seems this is a little too complex for iptables 
> to get its head around it seems!
>
> Andy
>
>
> Arno van Amersfoort wrote:
>   
>> And if you make it:
>>
>> iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 25 -j DNAT 
>> --to-destination 192.168.55.1
>> iptables -A FORWARD -p tcp --dport 25 -d 1.2.3.4 -j ACCEPT
>>
>>
>> Does this work or do you say any ie. packet drop in the firewall log?
>>
>> a.
>>
>> Andy wrote:
>>     
>>> Hi Arno,
>>> No that line is accepted, no kernel errors but also no luck with the 
>>> forwarding, it just times out.
>>>
>>> Regards,
>>>
>>> Andy
>>>
>>>
>>> Arno van Amersfoort wrote:
>>>       
>>>> And if you make it even more simple like:
>>>>
>>>> iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 25 -j DNAT 
>>>> --to-destination 192.168.55.1
>>>>
>>>> (without the trailing :25)
>>>>
>>>> Do you get the exact same message in your kernel log?
>>>>
>>>> a.
>>>>
>>>> Andy Brown wrote:
>>>>         
>>>>> Cheers for the effort as always :)
>>>>>
>>>>> Unfortunately not, I modified that line as it initially failed, so trying:
>>>>>
>>>>> iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 25 -j DNAT 
>>>>> --to-destination 192.168.55.1:25
>>>>>
>>>>> Still no luck with that unfortunately.
>>>>>
>>>>> Regards,
>>>>> Andy
>>>>>
>>>>>
>>>>>
>>>>> Arno van Amersfoort wrote:
>>>>>           
>>>>>> And if you try:
>>>>>> iptables -t nat -A PREROUTING -d 1.2.3.4 --dport 25 -j DNAT 
>>>>>> --to-destination 192.168.55.1:25
>>>>>>
>>>>>> Does this fix the problem?
>>>>>>
>>>>>> If so, I need to update the plugin, so please let me know your findings.
>>>>>>
>>>>>> a.
>>>>>>
>>>>>> Andy wrote:
>>>>>>             
>>>>>>> Hi all,
>>>>>>> Having come back to the scripts from using pfsense, due to it being very 
>>>>>>> inflexible and several problems with ipsec VPNs, I'm using these 
>>>>>>> excellent scripts.
>>>>>>> I do have one query, I'm using the transparent DNAT and cannot quite get 
>>>>>>> it to do what I want.
>>>>>>>
>>>>>>> My firewall is on external 1.2.3.4 for example and internal IP 192.168.55.2
>>>>>>> My LAN server is on 192.168.55.1
>>>>>>> So my firewall points port 80 25 and 143 to 192.168.55.1 via NAT rules.
>>>>>>>
>>>>>>> Now, I have added in transparent DNAT as I'd like to be able to connect 
>>>>>>> to 1.2.3.4 port 143 whilst internal to my network. My dnat settings are:
>>>>>>> ENABLED=1
>>>>>>> DNAT_MY_INTERNAL_IP="192.168.55.2"
>>>>>>> DNAT_MY_EXTERNAL_IP="195.97.244.58"
>>>>>>> DNAT_TCP_PORTS="25,80,143"
>>>>>>> DNAT_UDP_PORTS=""
>>>>>>>
>>>>>>> I have also tried setting my internal IP to 192.168.55.1 and still no luck.
>>>>>>>
>>>>>>> Trying things manually, if I paste a rule:
>>>>>>> iptables -t nat -A OUTPUT -d 1.2.3.4 -p tcp --dport 25 -j DNAT 
>>>>>>> --to-destination 192.168.55.1:25
>>>>>>>
>>>>>>> Then try connecting, I've noticed this in my kernel logs:
>>>>>>>
>>>>>>> Nov  4 20:46:17 voyage kernel: NAT: no longer support implicit source 
>>>>>>> local NAT
>>>>>>> Nov  4 20:46:17 voyage kernel: NAT: packet src 192.168.55.2 -> dst 1.2.3.4
>>>>>>>
>>>>>>> Which looks bad, is this something that has changed and causes 
>>>>>>> transparent DNAT not to work anymore with these kernels??
>>>>>>>
>>>>>>> Any adbvice please guys? I'd rather not have to put an internal DNS 
>>>>>>> intercept/hack to solve this problem if at all possible :)
>>>>>>>
>>>>>>>
>>>>>>>               
>>>>> _______________________________________________
>>>>> Firewall mailing list
>>>>> Firewall at lists.btito.net
>>>>> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
>>>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>>>> http://rocky.eld.leidenuniv.nl
>>>>>
>>>>>           
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at lists.btito.net
>>> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>>
>>>       
>
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
>   



More information about the Firewall mailing list