DNAT - IPtables - route2
Hi List,
I?m using DNAT for redirect the external traffic from the firewall (
Debian ) to an internal server ( Debian too ).
All works fine ( really, very fine! ), but I have one problem.
I can connect from 172.16.0.0/12, from the firewall and from internet to
100.100.100.100:80 ( redirect to 10.10.1.2 ) without any problem. But I
can?t do it from 10.10.1.2 or from 10.10.1.x.
In the firewall I have this configuration:
( Sorry, I change the public IP to 100.100.100.100 and 200.200.200.200 )
> ip addr
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
<- Interna interface
inet 172.16.0.1/12 brd 172.16.255.255 scope global eth0
inet 10.10.1.1/24 brd 10.255.255.255 scope global eth0:1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 <-
External interface 1
link/ether 00:02:44:36:e0:d2 brd ff:ff:ff:ff:ff:ff
inet 100.100.100.100 brd 255.255.255.255 scope global eth2
5: eth3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100 <-
External interface 2
link/ether 00:48:54:65:85:74 brd ff:ff:ff:ff:ff:ff
inet 200.200.200.200 brd 255.255.255.255 scope global eth3
> iptables -L -n -v -t nat
Chain PREROUTING
pkts bytes target prot opt in out source
destination
Chain PREROUTING (policy ACCEPT 30540 packets, 1657K bytes)
395 20340 DNAT tcp -- * * 0.0.0.0/0
100.100.100.100 tcp dpt:80 to:10.10.1.2:25
....
Chain POSTROUTING (policy ACCEPT 156K packets, 11M bytes)
pkts bytes target prot opt in out source
destination
627K 35M MASQUERADE all -- * eth2 172.16.0.0/12
0.0.0.0/0
6174 345K MASQUERADE all -- * eth3 172.16.0.0/12
0.0.0.0/0
2822 170K MASQUERADE all -- * eth2 10.10.1.0/24
0.0.0.0/0
27 1620 MASQUERADE all -- * eth3 10.10.1.0/24
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 78981 packets, 5307K bytes)
67 4020 DNAT tcp -- * * 0.0.0.0/0
100.100.100.100 tcp dpt:80 to:10.10.1.2:80
>iptables -L FORWARD -n -v
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
3285 197K ACCEPT all -- eth0 eth0 172.16.0.0/24
172.16.0.0/12
3066 183K ACCEPT all -- eth0 eth0 172.16.0.0/12
172.16.0.0/24
271K 99M ACCEPT all -- eth0 eth0 10.10.1.0/24
0.0.0.0/0
227K 83M ACCEPT all -- eth0 eth0 172.16.0.0/12
0.0.0.0/0
8193K 3761M ACCEPT all -- eth0 eth2 172.16.0.0/12
0.0.0.0/0
7617K 4545M ACCEPT all -- eth2 eth0 0.0.0.0/0
172.16.0.0/12
179K 158M ACCEPT all -- eth0 eth2 10.10.1.0/24
0.0.0.0/0
140K 28M ACCEPT all -- eth2 eth0 0.0.0.0/0
10.10.1.0/24
56500 17M ACCEPT all -- eth0 eth3 172.16.0.0/12
0.0.0.0/0
48417 27M ACCEPT all -- eth3 eth0 0.0.0.0/0
172.16.0.0/12
48570 8901K ACCEPT all -- eth0 eth3 10.10.1.0/24
0.0.0.0/0
48563 54M ACCEPT all -- eth3 eth0 0.0.0.0/0
10.10.1.0/24
0 0 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 4
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
I capture the traffic in the firewall and I can see that it doesn?t
redirect.
~# tethereal -f "tcp port 80 && ip host 100.100.100.100 && ip host
10.10.1.2" -n
Capturing on eth0
0.000000 10.10.1.2 -> 100.100.100.100 TCP 33796 > 80 [SYN]
Seq=2253521809 Ack=0 Win=5840 Len=0
2.995596 10.10.1.2 -> 100.100.100.100 TCP 33796 > 80 [SYN]
Seq=2253521809 Ack=0 Win=5840 Len=0
8.996206 10.10.1.2 -> 100.100.100.100 TCP 33796 > 80 [SYN]
Seq=2253521809 Ack=0 Win=5840 Len=0
21.005996 10.10.1.2 -> 100.100.100.100 TCP 33796 > 80 [SYN]
Seq=2253521809 Ack=0 Win=5840 Len=0
Any suggestion?
Thanks!
Note:
I?m marking the traffic with iptable, can be a problem?
If yes, why it works from 172.16.0.x?
:~# iptables -L -n -v -t mangle
Chain PREROUTING (policy ACCEPT 363K packets, 201M bytes)
pkts bytes target prot opt in out source
destination
10120 1106K MARK tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 MARK set 0x7
# ip rule
192: from 0.0.0.0 fwmark 7 lookup 207
:~# ip route li ta 207
default via 100.100.100.1 dev eth2 proto static src 100.100.100.100
prohibit default proto static metric 1
Matias Lambert
OSInet Telecomunicaciones
Capital Federal - Buenos Aires
Argentina - CA1185ACA
http://www.osinet.com.ar
Reply to: