Re: port forward with the ipmasq package and Iptables
On Tuesday 29 April 2003 11:28, Tom Goulet (UID0) wrote:
> > You shouldn't need the ipmasq package, NAT has been built into iptables
> > for ages.
>
> <blinks> I need the ipmasq package (or some other way to run Iptables
> with the right rules) because the box is an IP masquerading router.
Ok, obviously the ipmasq package does something other than what I thought it
does. I'd assumed it was something similar to the additional ip masquerade
tools that are required for ipchains to do NAT correctly.
> > A rule like this should do the trick:
> > iptables -t nat -A PREROUTING -p tcp -d $external-ip --dport
> > $external-port \ -j DNAT --to $internal-ip:$internal-port
>
> Should this work with my existing, complicated set of Iptables rules?
Depends. As this is an "append" rule it might break if there are any
DENY/REJECT rules before it in the chain, in which case it would be a matter
of tweaking the position in the chain. Also, if you've got DENY/REJECTs in
your FORWARD chain, these will potentially effect your connections too.
> This does the same thing all my other attempts have done: Change my
> error message from "Connection refused" to "Connection timed out".
>
> I'm sure the other end is listening.
In that case, you might need to put an explicit allow in the FORWARD chain for
that IP. It would depend on your ruleset.
> > $internal-ip in the last one can be changed to the network range, and
> > will allow general NAT for that network.
>
> It's not legal to put hyphens in shell variable names, by the way :-).
I'd just stripped those lines out of my present firewall code and formatted it
as an example. Sorry about that. :)
> I was assuming that lots of people used the ipmasq package with Iptables
> and lots of people needed to forward ports and lots of people
> immediately knew how and were just going to point me to a Debian page
> that I missed, but I guess not :o.
Not I .. taking a quick look at it, it appears it's one of those
auto-generating firewall scripts. I tend to avoid them myself.
t
--
GPG: http://n12turbo.com/tarragon/public.key
Reply to: