Hola. Me respondo a mi mismo y espero que
sirva de ayuda a todos. El error está en lo siguiente La política por defecto en FORWARD es
DROP , con lo cual nunca puede hacer FORWARDING el paquete correctamente porque
cae. Por cada puerto que se quiera
redireccionar hay que añadir en la regla FORWARD un ACCEPT con ese puerto. Lo primero es redireccionar los puertos
del router ADSL a la ip local de la máquina DEBIAN que hace de router
(192.168.0.2) La estructura sería más o menos así. $MAC = “192.168.1.14” ->
LA ip de la red local 46138 -> Puerto que uso yo, puede ser
cualquiera La notacion $MAC:46138 no sería
necesaria porque puerto destino y origen son idénticos si fuesen distintos si
sería necesario especificarlo. Con $MAC sería suficiente (manías de
cada uno) La primera línea redirecciona el puerto
a la ip y la segunda establece en aceptar la política de FORWARD iptables -t nat -A
PREROUTING -p tcp --dport 46138 -i $EXTIF -j DNAT --to $MAC:46138 iptables -A FORWARD -p
tcp -i $EXTIF -d $MAC --dport 46138 -j ACCEPT Atentamente, Jorge Giménez De: Jorge Giménez
[mailto:jorge.gimenez@wanadoo.es] Hola. Estoy intentando hacer DNAT con Debian. El SNAT funciona perfectamente . Después de leerme
el How to e instalar el rc.firewall-iptables que viene en ese documento Os hago un esquema de cómo está la red Router ADSL -à
192.168.0.1/255.255.255.240 Linux --> Eth0 à
192.168.0.2/255.255.255.240 GW 192.168.0.1 à Eth1
à
192.168.1.1/255.255.255.240 Red local à 192.168.1.X /
255.255.255.240 Todos los equipos en la red local acceden a Internet sin
problemas. Ahora lo que necesito es redireccionar los puertos que
antes tenía redireccionados al router redireccionarlos a los equipos de la red
192.168.1.X Como el 46138 (VNC) por ejemplo que estaba
redireccionado al 192.168.0.14 , que ahora pasa a ser 192.168.1.14 Este equipo navega perfectamente pero creo que el DNAT no
funciona. La prueba que yo hago es intentar desde la red 192.168.0.x
con un pc con red 192.168.0.x intentar acceder con un cliente VNC a
192.168.0.2:46138. Entiendo que si el DNAT se hiciera correctamente me pediría
la clave de acesso al VNC. (Lo hace si esa máquina la cambio a la red
192.168.0.x tanto desde la red local como desde Internet, el router
redirecciona correctamente a ese puerto) De hecho si hago un dmesg me sale esto IN=eth0 OUT=eth1 SRC="" DST=192.168.1.14
LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=47736 DF PROTO=TCP SPT=12154 DPT=46138
WINDOW=65535 RES=0x00 SYN URGP=0 Os pego el script que uso , indicando las líneas que he
añadido para hacer DNAT . Está al final del todo la línea que hace DNAT. ---Inicio---- #!/bin/sh # # rc.firewall-iptables FWVER=0.76 # #
Initial SIMPLE IP Masquerade test for 2.6 / 2.4 kernels #
using IPTABLES. # #
Once IP Masquerading has been tested, with this simple #
ruleset, it is highly recommended to use a stronger #
IPTABLES ruleset either given later in this HOWTO or #
from another reputable resource. # # # # Log: # 0.76 - Added
comments on why the default policy is ACCEPT # 0.75 - Added
more kernel modules to the comments section # 0.74 - the
ruleset now uses modprobe vs. insmod # 0.73 - REJECT
is not a legal policy yet; back to DROP # 0.72 -
Changed the default block behavior to REJECT not DROP # 0.71 - Added
clarification that PPPoE users need to use #
"ppp0" instead of "eth0" for their external interface # 0.70 - Added
commented option for IRC nat module #
- Added additional use of environment variables #
- Added additional formatting # 0.63 - Added
support for the IRC IPTABLES module # 0.62 - Fixed
a typo on the MASQ enable line that used eth0 #
instead of $EXTIF # 0.61 -
Changed the firewall to use variables for the internal #
and external interfaces. # 0.60 - 0.50
had a mistake where the ruleset had a rule to DROP #
all forwarded packets but it didn't have a rule to ACCEPT #
any packets to be forwarded either #
- Load the ip_nat_ftp and ip_conntrack_ftp modules by default # 0.50 -
Initial draft # echo -e "\n\nLoading simple
rc.firewall-iptables version $FWVER..\n" # The location of the iptables and kernel module
programs # # If your Linux distribution came with
a copy of iptables, # most likely all the programs will be
located in /sbin. If # you manually compiled iptables, the
default location will # be in /usr/local/sbin # # ** Please use the "whereis iptables" command
to figure out # ** where your copy is and change the path below
to reflect # ** your setup # IPTABLES=/sbin/iptables #IPTABLES=/usr/local/sbin/iptables DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe #Setting the EXTERNAL and INTERNAL interfaces for
the network # # Each IP Masquerade network needs to have at
least one # external and one internal network.
The external network # is where the natting will occur and the
internal network # should preferably be addressed with a
RFC1918 private address # scheme. # # For this example, "eth0" is
external and "eth1" is internal" # # # NOTE: If this doesnt EXACTLY fit your
configuration, you must #
change the EXTIF or INTIF variables above. For example: # #
If you are a PPPoE or analog modem user: # #
EXTIF="ppp0" # # EXTIF="eth0" INTIF="eth1" MAC="192.168.1.14" # 46138 echo " External Interface:
$EXTIF" echo " Internal Interface:
$INTIF" #====================================================================== #== No editing beyond this line is required for
initial MASQ testing == echo -en " loading modules: " # Need to verify that all modules have all required
dependencies # echo " - Verifying that all kernel
modules are ok" $DEPMOD -a # With the new IPTABLES code, the core MASQ
functionality is now either # modular or compiled into the kernel. This
HOWTO shows ALL IPTABLES # options as MODULES. If your kernel is
compiled correctly, there is # NO need to load the kernel modules
manually. # # NOTE: The following items are listed ONLY
for informational reasons. # There
is no reason to manual load these modules unless your # kernel
is either mis-configured or you intentionally disabled # the
kernel module autoloader. # # Upon the commands of starting up IP Masq on the
server, the # following kernel modules will be automatically
loaded: # # NOTE: Only load the IP MASQ modules you
need. All current IP MASQ # modules
are shown below but are commented out from loading. #
=============================================================== echo
"----------------------------------------------------------------------" #Load the main body of the IPTABLES module -
"iptable" # - Loaded automatically when the
"iptables" command is invoked # # - Loaded manually to clean up kernel
auto-loading timing issues # echo -en "ip_tables, " $MODPROBE ip_tables #Load the IPTABLES filtering module -
"iptable_filter" # - Loaded automatically when filter policies
are activated #Load the stateful connection tracking framework -
"ip_conntrack" # # The conntrack module in itself does nothing
without other specific # conntrack modules being loaded afterwards such as
the "ip_conntrack_ftp" # module # # - This module is loaded automatically when
MASQ functionality is # enabled # # - Loaded manually to clean up kernel
auto-loading timing issues # echo -en "ip_conntrack, " $MODPROBE ip_conntrack #Load the FTP tracking mechanism for full FTP
tracking # # Enabled by default -- insert a "#" on
the next line to deactivate # echo -en "ip_conntrack_ftp, " $MODPROBE ip_conntrack_ftp #Load the IRC tracking mechanism for full IRC
tracking # # Enabled by default -- insert a "#" on
the next line to deactivate # echo -en "ip_conntrack_irc, " $MODPROBE ip_conntrack_irc #Load the general IPTABLES NAT code -
"iptable_nat" # - Loaded automatically when MASQ
functionality is turned on # # - Loaded manually to clean up kernel auto-loading
timing issues # echo -en "iptable_nat, " $MODPROBE iptable_nat #Loads the FTP NAT functionality into the core
IPTABLES code # Required to support non-PASV FTP. # # Enabled by default -- insert a "#" on
the next line to deactivate # echo -en "ip_nat_ftp, " $MODPROBE ip_nat_ftp #Loads the IRC NAT functionality into the core
IPTABLES code # Required to support NAT of IRC DCC requests # # Disabled by default -- remove the "#"
on the next line to activate # #echo -e "ip_nat_irc" #$MODPROBE ip_nat_irc echo
"----------------------------------------------------------------------" # Just to be complete, here is a partial list of
some of the other # IPTABLES kernel modules and their function.
Please note that most # of these modules (the ipt ones) are automatically
loaded by the # master kernel module for proper operation and
don't need to be # manually loaded. #
-------------------------------------------------------------------- # # ip_nat_snmp_basic - this module
allows for proper NATing of some #
SNMP traffic # #
iptable_mangle - this target allows for packets to be #
manipulated for things like the TCPMSS #
option, etc. # # -- # #
ipt_mark - this target marks a given packet
for future action. #
This automatically loads the ipt_MARK module # #
ipt_tcpmss - this target allows to manipulate the TCP
MSS #
option for braindead remote firewalls. #
This automatically loads the ipt_TCPMSS module # #
ipt_limit - this target allows for packets to be
limited to #
to many hits per sec/min/hr # # ipt_multiport - this
match allows for targets within a range #
of port numbers vs. listing each port individually # #
ipt_state - this match allows to catch packets
with various #
IP and TCP flags set/unset # # ipt_unclean -
this match allows to catch packets that have invalid #
IP/TCP flags set # # iptable_filter - this module
allows for packets to be DROPped, #
REJECTed, or LOGged. This module automatically #
loads the following modules: # #
ipt_LOG - this target allows for packets to be #
logged # #
ipt_REJECT - this target DROPs the packet and returns #
a
configurable ICMP packet back to the #
sender. # echo -e " Done loading
modules.\n" #CRITICAL: Enable IP forwarding since it is
disabled by default since # #
Redhat Users: you may try changing the options in #
/etc/sysconfig/network from: # #
FORWARD_IPV4=false #
to #
FORWARD_IPV4=true # echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address
dynamically from SLIP, PPP, or DHCP, # enable this following option.
This enables dynamic-address hacking # which makes the life with Diald and
similar programs much easier. # #echo " Enabling DynamicAddr.." #echo "1" >
/proc/sys/net/ipv4/ip_dynaddr # Enable simple IP forwarding and Masquerading # # NOTE: In IPTABLES speak, IP
Masquerading is a form of SourceNAT or SNAT. # # NOTE #2: The following is an example
for an internal LAN address in the #
192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask #
connecting to the Internet on external interface "eth0". This #
example will MASQ internal traffic out to the Internet but not #
allow non-initiated traffic into your internal network. # #
#
** Please change the above network numbers, subnet mask, and your #
*** Internet connection interface name to match your setup # #Clearing any previous configuration # # Unless specified, the defaults for INPUT
and OUTPUT is ACCEPT # The default for FORWARD is DROP
(REJECT is not a valid policy) # # Isn't ACCEPT insecure? To some
degree, YES, but this is our testing # phase. Once we know that IPMASQ
is working well, I recommend you run # the rc.firewall-*-stronger rulesets
which set the defaults to DROP but # also include the critical additional
rulesets to still let you connect to # the IPMASQ server, etc. # echo " Clearing any existing rules
and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo " FWD: Allow all connections
OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state
--state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE)
functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j
MASQUERADE #A partir de aquí lo he añadido yo echo " Enabling DNAT functionality on
$EXTIF" iptables -t nat -A PREROUTING -p tcp --dport 46138
-i $EXTIF -j DNAT --to $MAC:46138 #Fin de la modificación respecto al script original echo -e "\nrc.firewall-iptables v$FWVER done.\n" ----Fin---- Atentamente, Jorge Giménez |