iptabels and DNAT problem
[please CC me as I'm not (yet) on the list, thank you]
Hello,
I'm having problems with iptables in a particular setup.
I have defined following interfaces:
eth0 Link encap:Ethernet HWaddr 00:40:F4:74:52:7F
inet addr:157.x.x.100 Bcast:157.x.x.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:35403126 errors:50773 dropped:3204 overruns:43088 frame:0
TX packets:11556310 errors:0 dropped:0 overruns:2 carrier:0
collisions:0 txqueuelen:100
RX bytes:1389250309 (1.2 GiB) TX bytes:3291432340 (3.0 GiB)
Interrupt:10 Base address:0xa000
eth0:1 Link encap:Ethernet HWaddr 00:40:F4:74:52:7F
inet addr:157.x.x.9 Bcast:157.x.x.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0xa000
eth0:2 Link encap:Ethernet HWaddr 00:40:F4:74:52:7F
inet addr:157.x.x.24 Bcast:157.x.x.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:10 Base address:0xa000
eth1 Link encap:Ethernet HWaddr 00:50:BA:C6:5D:14
inet addr:10.0.0.254 Bcast:10.0.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11618570 errors:0 dropped:16714 overruns:0 frame:0
TX packets:33498523 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:3306224212 (3.0 GiB) TX bytes:1148042990 (1.0 GiB)
Interrupt:9 Base address:0x6100
eth1 goes to a switch that has the 10.0.0.0/24 subnet behind it.
The default policy of all tables is accept (for now)
I want to forward all trafic on port 80 on eth0:1 to 10.0.0.75:80
I want to forward all trafic on port 25 on eth0:2 to 10.0.0.76:25
I want to forward all trafic on port 22 on eth0:2 to 10.0.0.76:22
Also I want to do masquerading.
I have run the following rules:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 157.x.x.100
iptables -t nat -A PREROUTING -p tcp -d 157.x.x.9 --dport 80 -j DNAT --to-destination 10.0.0.75:80
iptables -t nat -A POSTROUTING -s 10.0.0.75 -p tcp --source-port 80 -o eth0 -j SNAT --to-source 157.x.x.9
iptables -t nat -A PREROUTING -p tcp -d 157.x.x.24 --dport 25 -j DNAT --to-destination 10.0.0.76:25
iptables -t nat -A POSTROUTING -s 10.0.0.76 -p tcp --source-port 25 -o eth0 -j SNAT --to-source 157.x.x.24
iptables -t nat -A PREROUTING -p tcp -d 157.x.x.24 --dport 22 -j DNAT --to-destination 10.0.0.76:22
iptables -t nat -A POSTROUTING -s 10.0.0.76 -p tcp --source-port 22 -o eth0 -j SNAT --to-source 157.x.x.24
For easyness:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 157.x.x.9 tcp dpt:80 to:10.0.0.75:80
DNAT tcp -- 0.0.0.0/0 157.x.x.24 tcp dpt:22 to:10.0.0.76:22
DNAT tcp -- 0.0.0.0/0 157.x.x.24 tcp dpt:25 to:10.0.0.76:25
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 0.0.0.0/0 0.0.0.0/0 to:157.x.x.100
SNAT tcp -- 10.0.0.75 0.0.0.0/0 tcp spt:80 to:157.x.x.9
SNAT tcp -- 10.0.0.76 0.0.0.0/0 tcp spt:22 to:157.x.x.24
SNAT tcp -- 10.0.0.76 0.0.0.0/0 tcp spt:25 to:157.x.x.24
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
And this works for people outside our local network. But when inside
the local lan it does not work. People can not connect to 157.x.x.9 en 157.x.x.24
from inside the lan (or using the hostname).
I think something is missing but what?
Thanks in advance
--
Rudy Gevaert rudy@zeus.UGent.be
Web page http://www.webworm.org
GNU/Linux user and Savannah hacker http://savannah.gnu.org
Some men see things as they are
and say why? I dream of things
that never were and say why not?
Reply to: