[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: port forward with the ipmasq package and Iptables

On Tuesday 29 April 2003 11:28, Tom Goulet (UID0) wrote:
> > You shouldn't need the ipmasq package, NAT has been built into iptables
> > for ages.
> <blinks>  I need the ipmasq package (or some other way to run Iptables
> with the right rules) because the box is an IP masquerading router.

Ok, obviously the ipmasq package does something other than what I thought it 
does. I'd assumed it was something similar to the additional ip masquerade 
tools that are required for ipchains to do NAT correctly.

> > A rule like this should do the trick:
> > iptables -t nat -A PREROUTING -p tcp -d $external-ip --dport
> > $external-port \ -j DNAT --to $internal-ip:$internal-port
> Should this work with my existing, complicated set of Iptables rules?

Depends. As this is an "append" rule it might break if there are any 
DENY/REJECT rules before it in the chain, in which case it would be a matter 
of tweaking the position in the chain. Also, if you've got DENY/REJECTs in 
your FORWARD chain, these will potentially effect your connections too.

> This does the same thing all my other attempts have done:  Change my
> error message from "Connection refused" to "Connection timed out".
> I'm sure the other end is listening.

In that case, you might need to put an explicit allow in the FORWARD chain for 
that IP. It would depend on your ruleset.

> > $internal-ip in the last one can be changed to the network range, and
> > will allow general NAT for that network.
> It's not legal to put hyphens in shell variable names, by the way :-).

I'd just stripped those lines out of my present firewall code and formatted it 
as an example. Sorry about that. :)

> I was assuming that lots of people used the ipmasq package with Iptables
> and lots of people needed to forward ports and lots of people
> immediately knew how and were just going to point me to a Debian page
> that I missed, but I guess not :o.

Not I .. taking a quick look at it, it appears it's one of those 
auto-generating firewall scripts. I tend to avoid them myself.

GPG: http://n12turbo.com/tarragon/public.key

Reply to: