[long] NAT & port forwarding iptables problem

To: debian-firewall@lists.debian.org
Subject: [long] NAT & port forwarding iptables problem
From: Jeronimo Pellegrini <jeronimo@opus-software.com.br>
Date: Wed, 9 May 2001 11:02:07 -0300
Message-id: <[🔎] 20010509110207.A20562@juno>

Hello.

We have set up a potato firewall using IPTABLES
(with Adrian Bunk's packages, but with kernel 2.4.3-pre6,
compiled by myself). It should do 
masquerading and port forwarding (we want connections
to ports 25 and 80 forwarded to our mail and web server,
besides some other things).

It mostly works as it is now, except for one problem:

>From the outside world, everything works perfectly,
and ports are forwarded:

jeronimo@pinheiros:~$ telnet xxx.xxx.xxx.xxx 80
Trying xxx.xxx.xxx.xxx...
Connected to xxx.xxx.xxx.xxx.
Escape character is '^]'.


from the internal network (10.10.10.0/8), it seems
that ports are being forwarded, but after the connection
is established, nothing else happens:

jeronimo@juno:~$ telnet firewall 80
Trying xxx.xxx.xxx.xxx...


After zeroing the counters in the nat table, and trying
to connect from the internal LAN, it seems that the 
connection was forwarded:

 1    60 DNAT       tcp  --  *      *       0.0.0.0/0    
          xxx.xxx.xxx.xxx    tcp dpt:80 to:10.10.10.107:80 
 
(line broken for readability)

Using the following rule:

$IPTABLES -t nat -A PREROUTING -p tcp -d 10.10.10.101 --dport 80 \
        -j DNAT --to $WEB_SERVER:80

And trying to connect to the firewall internal ip (which
is 10.10.10.101) also doesn't work:

jeronimo@juno$ telnet 10.10.10.101 80
Trying 10.10.10.101...

sniffit shows that the connection was open, since some
files were generated, but the files were not closed. 

We have already trying disabling all port blocking, and
using ACCEPT as policy for INPUT, FORWARD, and OUTPUT,
and only setting up masquerading and port forwarding,
and the problem persists. 

The servers do not have any firewall rules, and connecting
to the using their internal IPs work:

jeronimo@juno:~$ telnet 10.10.10.107 80
Trying 10.10.10.107...
Connected to 10.10.10.107.
Escape character is '^]'.

These are the rules in the nat table:


IFACE=eth0     # external
IFACE_IN=eth1  # internal 
HOSTIP=xxx.xxx.xxx.xxx # external IP number
MAIL_SERVER=10.10.10.107
WEB_SERVER=10.10.10.107


INT_IP=10.10.10.0/8

    echo 1 > /proc/sys/net/ipv4/ip_forward 

    $IPTABLES -t nat -A POSTROUTING -o $IFACE -s $INT_IP \
              -j MASQUERADE 

    $IPTABLES -t nat -A PREROUTING -d $HOSTIP -p tcp --dport 25 \ 
              -j DNAT --to $MAIL_SERVER:25 

    $IPTABLES -t nat -A PREROUTING -p tcp -d $HOSTIP --dport 80 \  
              -j DNAT --to $WEB_SERVER:80  


So... Shouldn't this work for the internal LAN too?

What could we be doing wrong here? I've read the NAT-howto,
and a few other documents on iptables, and I don't see
what we could have done wrong... 

Thanks a lot,
J.

Reply to:

Follow-Ups:
- Re: [long] NAT & port forwarding iptables problem
  - From: Cory Petkovsek <coryp@petersen-arne.com>

Prev by Date: Re: Proxy ARP.
Next by Date: Re: [long] NAT & port forwarding iptables problem
Previous by thread: Re: DNS thru firewall
Next by thread: Re: [long] NAT & port forwarding iptables problem
Index(es):
- Date
- Thread