Re: Re[2]: Masquerade and DNAT with iptables
On Sun, 2003-05-25 at 03:12, Liviu Marciu wrote:
> Hello Mark,
>
> Saturday, May 24, 2003, 2:20:39 PM, you wrote:
>
> MD> On Sat, 2003-05-24 at 01:44, Liviu Marciu wrote:
> >> Hello,
> >> I have a linux box that is connected to internet with a pptp
> >> connexion. This box is the gateway that connects my Lan to the
> >> internet using Maquerade and iptables.
> >>
> >> How can i make a webserver form my Lan visible from the internet ?
> >> I want to redirect port 8080 from the linux box to the 192.168.0.222
> >> ip address port 80.
>
> MD> # Some port and ip address definitions
> MD> HTTP_PORT="80"
> MD> PF_HTTP_PORT="8080"
> MD> INET_IFACE="eth0"
> MD> LINUX_SERVER_IPADDR="192.168.0.222"
>
> MD> # DNAT (port forwarding)
> MD> $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport $PF_HTTP_PORT \
> MD> -j DNAT --to-destination $LINUX_SERVER_IPADDR:$HTTP_PORT
>
> MD> HTH
> MD> Regards.
> MD> Mark.
>
>
>
> Thanks for taking the time to answer this but that rule doesn't work,
> I have tried it already. I also found in some documentation that
> clearly stated that the rules that have DNAT target, have to contain
> an destination ip address, that the interface is not enough.
> Or maybe I'm wrong ???
The above rule is basically a cut and paste from one of my firewall
boxes. It does contain a destination address which is
$LINUX_SERVER_IPADDR and a destination port of $HTTP_PORT. Maybe you
defined your variables differently to mine? Here is the same command
without any variables used:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 \
-j DNAT --to-destination 192.168.0.222:80
The other thing to watch for is that there isn't another rule which is
blocking it. For example, this rule only sets up the DNAT in the
PREROUTING chain. The packets will then traverse the FORWARD chain
where you can filter them further. So you need to make sure that these
packets will be allowed to pass through here. Also, the FORWARD chain
is hit after the PREROUTING chain, so the destination address is now the
LAN address you DNATed to.
The following rule would be then accept this FORWARD traffic if your
default policy for all chains is DROP (which is a good idea).
iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 80 -j ACCEPT
If you are still having trouble debugging your firewall then try adding
a logging rule as the last rule before the packets hit the default
policy of DROP. What I do is make a new chain which logs and then
drops. Then instead of jumping to the DROP target, I jump to this
LogAndDrop target. This allows you to examine the syslog to try and
work out exactly where the packets are being dropped.
For example, add the following to the top of your firewall script:
iptables -N la_debug
iptables -A la_debug -j LOG --log-level 5 --log-prefix "Debug_Accept::"
iptables -A la_debug -j ACCEPT
iptables -N ld_debug
iptables -A ld_debug -j LOG --log-level 5 --log-prefix "Debug_Drop::"
iptables -A ld_debug -j ACCEPT
Then later in your firewall script you can do things like:
iptables -A FORWARD -i eth0 -o eth1 -p tcp --syn --dport 80 -j la_debug
and add a rule like this to the _end_ of each chain:
iptables -A FORWARD -j ld_debug
(This must be the last rule or everything on FORWARD chain will be
blocked.)
The only other thing I can think of is to make sure you have ip
forwarding switched on in the kernel. Putting this at the top of your
firewall script will allow that:
# Enable IP forwarding (for NAT)
echo 1 > /proc/sys/net/ipv4/ip_forward
You probably have already done most of the above, so sorry if I am not
telling you anything new.
I hope you don't mind me CCing the list since this may help someone else
too.
Regards.
Mark.
Reply to: