Re: port forward with the ipmasq package and Iptables

To: debian-firewall@lists.debian.org
Subject: Re: port forward with the ipmasq package and Iptables
From: Tarragon Allen <melange@n12turbo.com>
Date: Tue, 29 Apr 2003 12:03:35 +1000
Message-id: <[🔎] 200304291203.35722.melange@n12turbo.com>
In-reply-to: <[🔎] 20030429012840.GT1175@nova.vor.em.ca>
References: <[🔎] 20030428234028.GP1175@nova.vor.em.ca> <[🔎] 200304291030.33863.melange@n12turbo.com> <[🔎] 20030429012840.GT1175@nova.vor.em.ca>

On Tuesday 29 April 2003 11:28, Tom Goulet (UID0) wrote:
> > You shouldn't need the ipmasq package, NAT has been built into iptables
> > for ages.
>
> <blinks>  I need the ipmasq package (or some other way to run Iptables
> with the right rules) because the box is an IP masquerading router.

Ok, obviously the ipmasq package does something other than what I thought it 
does. I'd assumed it was something similar to the additional ip masquerade 
tools that are required for ipchains to do NAT correctly.

> > A rule like this should do the trick:
> > iptables -t nat -A PREROUTING -p tcp -d $external-ip --dport
> > $external-port \ -j DNAT --to $internal-ip:$internal-port
>
> Should this work with my existing, complicated set of Iptables rules?

Depends. As this is an "append" rule it might break if there are any 
DENY/REJECT rules before it in the chain, in which case it would be a matter 
of tweaking the position in the chain. Also, if you've got DENY/REJECTs in 
your FORWARD chain, these will potentially effect your connections too.

> This does the same thing all my other attempts have done:  Change my
> error message from "Connection refused" to "Connection timed out".
>
> I'm sure the other end is listening.

In that case, you might need to put an explicit allow in the FORWARD chain for 
that IP. It would depend on your ruleset.

> > $internal-ip in the last one can be changed to the network range, and
> > will allow general NAT for that network.
>
> It's not legal to put hyphens in shell variable names, by the way :-).

I'd just stripped those lines out of my present firewall code and formatted it 
as an example. Sorry about that. :)

> I was assuming that lots of people used the ipmasq package with Iptables
> and lots of people needed to forward ports and lots of people
> immediately knew how and were just going to point me to a Debian page
> that I missed, but I guess not :o.

Not I .. taking a quick look at it, it appears it's one of those 
auto-generating firewall scripts. I tend to avoid them myself.

t
-- 
GPG: http://n12turbo.com/tarragon/public.key

Reply to:

Follow-Ups:
- Re: port forward with the ipmasq package and Iptables
  - From: "Tom Goulet (UID0)" <uid0@em.ca>

References:
- port forward with the ipmasq package and Iptables
  - From: "Tom Goulet (UID0)" <uid0@em.ca>
- Re: port forward with the ipmasq package and Iptables
  - From: Tarragon Allen <melange@n12turbo.com>
- Re: port forward with the ipmasq package and Iptables
  - From: "Tom Goulet (UID0)" <uid0@em.ca>

Prev by Date: Re: port forward with the ipmasq package and Iptables
Next by Date: Re: port forward with the ipmasq package and Iptables
Previous by thread: Re: port forward with the ipmasq package and Iptables
Next by thread: Re: port forward with the ipmasq package and Iptables
Index(es):
- Date
- Thread