| View previous topic :: View next topic |
| Author |
Message |
Randseed
Tux's lil' helper
Joined: 01 Apr 2004
Posts: 111
|
 Posted: Tue Jan 18, 2005 7:37 am Post subject: iptables DNAT port redirection |
 |
|
I give up. I have a server running on an internal machine. The border router has a real IP address and two ethernet cards. eth0 is the internal interface, and eth1 is the Internet interface. All I want to do is accept connections on the border router's IP address at a specific port, and have that transparently redirected to the internal machine.
I also have a rule to masquerade traffic that's from the internet network and not going to an internal network address (e.g., going to the Internet). This has worked fine.
What should work is this:
| Code: |
# iptables -I INPUT -p tcp --dport $PORT -j ACCEPT
# iptables -t nat -I PREROUTING -p tcp --dport $PORT -j DNAT --to-destination $INTERNAL
|
If I leave out the NAT code, then the border machine has an open port with nothing running on it, and of course closes the connection. With the NAT code, it acts like it's getting nothing back at all, and a telnet will just hang there waiting for a connection.
Now I can get it to work if I MASQUERADE traffic from the other box on that port, and everything works. Unfortunately, the internal box sees all traffic as coming from the firewall box, which simply won't do. I need the server to see the real Inet IP addresses of the remote machines that try to connect, not the firewall box.
What the hell am I doing wrong? I'm accepting traffic on both the machines.
Is it possibly something to do with my masquerading rule?[/code] |
|
| Back to top |
|
 |
Randseed
Tux's lil' helper
Joined: 01 Apr 2004
Posts: 111
|
| Posted: Tue Jan 18, 2005 8:13 am Post subject: Fixed... Sort of. |
|
|
Well, lo and behold, look at the problem. Or at least what I think it is.
I set up the same rules and got a few connections externally. Apparently what's going on is that when I try to connect to the port on a LAN address, the network layer gets completely confused and can't figure out why some random address is sending it an ACK when it never sent it a SYN. Of course, I still can't connect from inside the LAN.
Go figure.
Something for the FAQ. |
|
| Back to top |
|
|
CriminalMastermind
Tux's lil' helper
Joined: 19 Nov 2003
Posts: 132
Location: toronto
|
| Posted: Tue Jan 18, 2005 8:26 am Post subject: |
|
|
| Randseed wrote: | | Code: |
# iptables -I INPUT -p tcp --dport $PORT -j ACCEPT
# iptables -t nat -I PREROUTING -p tcp --dport $PORT -j DNAT --to-destination $INTERNAL |
|
ok, i kinda get lost with what you say later... but try changing that INPUT in the first iptable command to FORWARD.
if memory serves me correctly, nat happens before filter... so you've changed the ip on packets to be that of your internal box. so it now falls under the FORWARD chain.
hope that helps
_________________
"I can picture a perfect world that knows of no war... and I can picture me attacking that world, because they'd never expect it." |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
