FW: port forwarding unsin iptables
well i appologize if anyone replied (hopefully) but my school decided to
nuke my e-mail server without informing anyone (thats what i get for going
to a state school). all the mail i had on that account is lost in
format-land.
well needless to say i am still having this problem and i would really like
to figure it out.. any help would be appreciated.
mike
-----Original Message-----
From: michael a. hacker [mailto:hack6500@ait.fredonia.edu]
Sent: Friday, August 11, 2000 2:03 AM
To: Debian Firewall
Subject: port forwarding unsin iptables
Thanks for the reply, some things were cleared up in my mind, yet some
have not changed. Yes i was using 2.4.0-test1-ac23, but yesterday (due
to some other problems) i switched to 2.4.0-test5 and iptables-1.1.1
(newest is always better right *wink*). I am using DNAT and here are
the rules i have defined.
-----cut------
#-- Forwading Options
###
# forward Incoming HTTP traffic on into internal host
/sbin/iptables -t nat -A PREROUTING -p tcp -d $EXTIP1 --dport 80 -j
DNAT --to $PORTFWIP1:80
# forward Incoming FTP traffic on into internal hosts
/sbin/iptables -t nat -A PREROUTING -p tcp -d $EXTIP1 --dport 21 -j
DNAT --to $PORTFWIP1:21
# forward Incoming ssh traffic on into internal hosts
/sbin/iptables -t nat -A PREROUTING -p tcp -d $EXTIP1 --dport 22 -j
DNAT --to $PORTFWIP1:22
# forward DCC send requests into internal hosts
/sbin/iptables -t nat -A PREROUTING -p tcp -d $EXTIP1 --dport 1029 -j
DNAT --to $PORTFWIP1:1029
#
###
-----end-----
Yet with these rules this way it seems that the source addres is being
mangled as well as the
destination. Everyone who connects to my ftp or www has a source address of
my proxy/firewall.
This is completely baffiling to me. now i have my SNAT rules defined prior
to my DNAT, but
I would _think_ that wouldnt make a stinkin bit of difference.
quite possibly i have my rules wrong, if someone could straighten me out id
appreciate it.
thanks
mike
-----Original Message-----
From: Steve Bowman [mailto:sbowman@frostwork.net]
Sent: Monday, August 07, 2000 10:24 AM
To: michael a. hacker
Cc: debian-firewall@lists.debian.org
Subject: Re: port forwarding unsin iptables (2.4.0-t1-ac23)
On Mon, Aug 07, 2000 at 09:06:39PM -0400, michael a. hacker wrote:
> maybe someone could help clear up some confusions i have with some of this
> ipchains ==> itables conversion that is going on. i was introduced to
chains
> almost 7 months ago now, and since that time i have been able to make it
do
> quite a bit of what i needed it to. i had some problems however (ftp,
dcc's)
> and some of my pals told me that tables "would fix everything!" well i
kinda
> feel like i bought a used car, because the same people that told me it
would
> work now are nowhere to been heard of on the topic. nm, i got a great
> ruleset
> working (halfway) in my opinion, heres my setup and what i need to fix.
>
> 1) my internal is masq'ed through my deb. box usin a PREROUTING rule and
> this works GREAT.
> 2) i have a internal server (www, etc.) that i want the world to be able
to
> reach on that internal lan. this is where my problems start.
>
> from what i have read (in confusion) to allow that to work i should set
up
> a
> POSTROUTING rule. well thats all good, other than the fact that when
someone
No. To do item 2, you need to use DNAT. This is only valid in the nat
table in the PREROUTING and OUTPUT chains. Try PREROUTING.
> connects to my http server they are forwarded into my server and their
> source
> addess is masqed as if they were actually coming from my deb. firewall.
this
> is
> just not acceptable.
Using DNAT should take care of this - AFAIK, the source address will not
be mangled. I have SNAT and other rules, but no DNAT rules so I can't
really test this right now. Think of DNAT as port-forwarding.
>
> i have messed around with a bunch of different rules and have had no
luck,
> there
> are FORWARDING and REDIRECT tables within the tables definition, but these
> dont
> seem to be for what i am trying to do. ? now i have also tried to
implement
> IPMASQ and
> IMPASQADM to do the same old port forwarding rules that i did in 2.2 but
> this
> doesnt work either. i understand that the kernel that im using is rather
old
> in the
> dev. life cycle, but i would think that i might me able to make this work.
i
> have
> compiled in ALL options that are even remotely liked to packet filtering.
if
> however
> someone feels that i _must_ get a new one i would do it.
You don't say which kernel version you're using. Oh, I see it in the
subject. I'm using 2.4.0-test1 without the ac patch(es) and it works fine
with iptables 1.1.0-1 from woody. Your kernel version is probably fine.
>
> i really just want to know if my thinking is correct, with using IPMASQ to
> do port forwarding.. sorry for the long message..
... -j MASQUERADE for outbound from dynamic IP
... -j SNAT for outbound from static IP
... -j DNAT for inbound port forwarding
You've probably already seen iptables(8), but you may also want to
look at the netfilter site since it has some docs not packaged with the
iptables deb. It's at http://netfilter.kernelnotes.org/ .
Good luck and have fun!
Steve
P.S. I'm really pleased with netfilter. I had a major attack on 8/1
which it was able to fend off quite nicely.
>
> mike
> hack6500@ait.fredonia.edu
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>
--
Steve Bowman <sbowman@frostwork.net> (preferred)
Buckeye, AZ <sbowman@goodnet.com> <bowmanc@acm.org>
<http://www.goodnet.com/~sbowman/>
Powered by Debian GNU/Linux <http://www.debian.org>
Reply to: