Re: port forwarding unsin iptables (2.4.0-t1-ac23)
On Mon, Aug 07, 2000 at 09:06:39PM -0400, michael a. hacker wrote:
> maybe someone could help clear up some confusions i have with some of this
> ipchains ==> itables conversion that is going on. i was introduced to chains
> almost 7 months ago now, and since that time i have been able to make it do
> quite a bit of what i needed it to. i had some problems however (ftp, dcc's)
> and some of my pals told me that tables "would fix everything!" well i kinda
> feel like i bought a used car, because the same people that told me it would
> work now are nowhere to been heard of on the topic. nm, i got a great
> working (halfway) in my opinion, heres my setup and what i need to fix.
> 1) my internal is masq'ed through my deb. box usin a PREROUTING rule and
> this works GREAT.
> 2) i have a internal server (www, etc.) that i want the world to be able to
> reach on that internal lan. this is where my problems start.
> from what i have read (in confusion) to allow that to work i should set up
> POSTROUTING rule. well thats all good, other than the fact that when someone
No. To do item 2, you need to use DNAT. This is only valid in the nat
table in the PREROUTING and OUTPUT chains. Try PREROUTING.
> connects to my http server they are forwarded into my server and their
> addess is masqed as if they were actually coming from my deb. firewall. this
> just not acceptable.
Using DNAT should take care of this - AFAIK, the source address will not
be mangled. I have SNAT and other rules, but no DNAT rules so I can't
really test this right now. Think of DNAT as port-forwarding.
> i have messed around with a bunch of different rules and have had no luck,
> are FORWARDING and REDIRECT tables within the tables definition, but these
> seem to be for what i am trying to do. ? now i have also tried to implement
> IPMASQ and
> IMPASQADM to do the same old port forwarding rules that i did in 2.2 but
> doesnt work either. i understand that the kernel that im using is rather old
> in the
> dev. life cycle, but i would think that i might me able to make this work. i
> compiled in ALL options that are even remotely liked to packet filtering. if
> someone feels that i _must_ get a new one i would do it.
You don't say which kernel version you're using. Oh, I see it in the
subject. I'm using 2.4.0-test1 without the ac patch(es) and it works fine
with iptables 1.1.0-1 from woody. Your kernel version is probably fine.
> i really just want to know if my thinking is correct, with using IPMASQ to
> do port forwarding.. sorry for the long message..
... -j MASQUERADE for outbound from dynamic IP
... -j SNAT for outbound from static IP
... -j DNAT for inbound port forwarding
You've probably already seen iptables(8), but you may also want to
look at the netfilter site since it has some docs not packaged with the
iptables deb. It's at http://netfilter.kernelnotes.org/ .
Good luck and have fun!
P.S. I'm really pleased with netfilter. I had a major attack on 8/1
which it was able to fend off quite nicely.
> To UNSUBSCRIBE, email to email@example.com
> with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
Steve Bowman <email@example.com> (preferred)
Buckeye, AZ <firstname.lastname@example.org> <email@example.com>
Powered by Debian GNU/Linux <http://www.debian.org>