[Firewall] Port forwarding and Transparent DNAT question

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Thu Nov 15 03:45:07 MST 2007


Just tested in my test environment with kernel 2.6.22 with the latest 
version of my DNAT plugin which only has a line like:

iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 25 -j DNAT
--to-destination 192.168.55.1

And this just works.... Are you sure you don't see any packet drop or 
something in your firewall log? Or that you have some proxy setting 
enabled in your conf?

a.

Andy wrote:
> Both commands are accepted, but upon trying, nothing back, and nothing 
> in the firewall logs.
> 
> Thank you for trying, it seems this is a little too complex for iptables 
> to get its head around it seems!
> 
> Andy
> 
> 
> Arno van Amersfoort wrote:
>> And if you make it:
>>
>> iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 25 -j DNAT 
>> --to-destination 192.168.55.1
>> iptables -A FORWARD -p tcp --dport 25 -d 1.2.3.4 -j ACCEPT
>>
>>
>> Does this work or do you say any ie. packet drop in the firewall log?
>>
>> a.
>>
>> Andy wrote:
>>> Hi Arno,
>>> No that line is accepted, no kernel errors but also no luck with the 
>>> forwarding, it just times out.
>>>
>>> Regards,
>>>
>>> Andy
>>>
>>>
>>> Arno van Amersfoort wrote:
>>>> And if you make it even more simple like:
>>>>
>>>> iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 25 -j DNAT 
>>>> --to-destination 192.168.55.1
>>>>
>>>> (without the trailing :25)
>>>>
>>>> Do you get the exact same message in your kernel log?
>>>>
>>>> a.
>>>>
>>>> Andy Brown wrote:
>>>>> Cheers for the effort as always :)
>>>>>
>>>>> Unfortunately not, I modified that line as it initially failed, so trying:
>>>>>
>>>>> iptables -t nat -A PREROUTING -d 1.2.3.4 -p tcp --dport 25 -j DNAT 
>>>>> --to-destination 192.168.55.1:25
>>>>>
>>>>> Still no luck with that unfortunately.
>>>>>
>>>>> Regards,
>>>>> Andy
>>>>>
>>>>>
>>>>>
>>>>> Arno van Amersfoort wrote:
>>>>>> And if you try:
>>>>>> iptables -t nat -A PREROUTING -d 1.2.3.4 --dport 25 -j DNAT 
>>>>>> --to-destination 192.168.55.1:25
>>>>>>
>>>>>> Does this fix the problem?
>>>>>>
>>>>>> If so, I need to update the plugin, so please let me know your findings.
>>>>>>
>>>>>> a.
>>>>>>
>>>>>> Andy wrote:
>>>>>>> Hi all,
>>>>>>> Having come back to the scripts from using pfsense, due to it being very 
>>>>>>> inflexible and several problems with ipsec VPNs, I'm using these 
>>>>>>> excellent scripts.
>>>>>>> I do have one query, I'm using the transparent DNAT and cannot quite get 
>>>>>>> it to do what I want.
>>>>>>>
>>>>>>> My firewall is on external 1.2.3.4 for example and internal IP 192.168.55.2
>>>>>>> My LAN server is on 192.168.55.1
>>>>>>> So my firewall points port 80 25 and 143 to 192.168.55.1 via NAT rules.
>>>>>>>
>>>>>>> Now, I have added in transparent DNAT as I'd like to be able to connect 
>>>>>>> to 1.2.3.4 port 143 whilst internal to my network. My dnat settings are:
>>>>>>> ENABLED=1
>>>>>>> DNAT_MY_INTERNAL_IP="192.168.55.2"
>>>>>>> DNAT_MY_EXTERNAL_IP="195.97.244.58"
>>>>>>> DNAT_TCP_PORTS="25,80,143"
>>>>>>> DNAT_UDP_PORTS=""
>>>>>>>
>>>>>>> I have also tried setting my internal IP to 192.168.55.1 and still no luck.
>>>>>>>
>>>>>>> Trying things manually, if I paste a rule:
>>>>>>> iptables -t nat -A OUTPUT -d 1.2.3.4 -p tcp --dport 25 -j DNAT 
>>>>>>> --to-destination 192.168.55.1:25
>>>>>>>
>>>>>>> Then try connecting, I've noticed this in my kernel logs:
>>>>>>>
>>>>>>> Nov  4 20:46:17 voyage kernel: NAT: no longer support implicit source 
>>>>>>> local NAT
>>>>>>> Nov  4 20:46:17 voyage kernel: NAT: packet src 192.168.55.2 -> dst 1.2.3.4
>>>>>>>
>>>>>>> Which looks bad, is this something that has changed and causes 
>>>>>>> transparent DNAT not to work anymore with these kernels??
>>>>>>>
>>>>>>> Any adbvice please guys? I'd rather not have to put an internal DNS 
>>>>>>> intercept/hack to solve this problem if at all possible :)
>>>>>>>
>>>>>>>
>>>>> _______________________________________________
>>>>> Firewall mailing list
>>>>> Firewall at lists.btito.net
>>>>> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
>>>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>>>> http://rocky.eld.leidenuniv.nl
>>>>>
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at lists.btito.net
>>> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>>
> 
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list