LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-10-2010, 01:24 PM   #1
Allesmachine
LQ Newbie
 
Registered: May 2007
Distribution: CentOS/RHEL/Fedora
Posts: 6

Rep: Reputation: 0
Question Help with port translation using iptables


New to iptables and not getting expected results, here's the problem:

I'm trying to build a proxy for SNMPv3 communication between a border router and an internal cacti box. I've got a CentOS 5 server set up in a DMZ network segment adjacent to the border router and firewall rules set up to allow traffic on specified ports from the internal cacti server to the proxy server. Ideally I would like to monitor several other switches in this DMZ network also so the thinking is that we would set up SNMP queries in cacti on certain ports for certain devices and make DNAT rules in iptables.

Examples:

Border router = 192.168.1.2
DMZ Switch 1 = 192.168.1.3
DMZ Switch 2 = 192.168.1.4
Proxy Server = 192.168.1.5
Cacti Server = 10.0.1.2

Cacti SNMP query for border router would target 192.168.1.5 on port 50102, and the proxy would contain a NAT rule to forward the traffic to 192.168.1.2 on port 161.

#iptables -t nat -A PREROUTING -p udp --dport 50102 -j DNAT --to-destination 192.168.1.2:161

For the DMZ switch 1, the query would target port 50103 and the iptables rule would look like this:

#iptables -t nat -A PREROUTING -p udp --dport 50103 -j DNAT --to-destination 192.168.1.3:161

So first of all, the targets are not getting the queries. I can see the requests hitting the proxy with tcpdump, but they are not leaving. I tried isolating the port translation issue by issuing the queries on port 161 and simply forwarding SNMP to one of the targets in the DMZ with no luck still...

That's the biggest problem. I've got further questions about how to handle responses once I start actually seeing them, like do I need to make a reverse rule for the responses since this is a UDP protocol?

Last edited by Allesmachine; 08-10-2010 at 01:27 PM. Reason: spelling error
 
Old 08-10-2010, 01:34 PM   #2
SciFi-Bob
Member
 
Registered: Aug 2008
Location: Denmark
Distribution: Ubuntu
Posts: 62

Rep: Reputation: 18
I would guess you also need an ACCEPT or JUMP rule in the INPUT table to acually forward the requests to the nat table, otherwise they will be dropped on sight.
But, I'm not a iptables wizard - I'm using shorewall.
 
Old 08-10-2010, 01:44 PM   #3
Allesmachine
LQ Newbie
 
Registered: May 2007
Distribution: CentOS/RHEL/Fedora
Posts: 6

Original Poster
Rep: Reputation: 0
Good point I forgot to mention that I configured the Filter table (using the RH-firewall) to accept SNMP traffic as well as the other custom ports. The ACCEPT and INPUT chains are a part of the filter table so they do need to be defined. But once that is done, the NAT table has the task of routing. Am I right or is Mark Sobell lying to me?

Last edited by Allesmachine; 08-10-2010 at 01:46 PM.
 
Old 08-11-2010, 08:27 AM   #4
Allesmachine
LQ Newbie
 
Registered: May 2007
Distribution: CentOS/RHEL/Fedora
Posts: 6

Original Poster
Rep: Reputation: 0
Ohh gees, the error rate on our primary Internet DS3 has gone through the roof again and we had to cut over the entire company to a backup. This is why I need SNMP alerting on the border router! Please help?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables can't port forward (PAT Port address translation) sfrederiksen Linux - Networking 7 12-20-2011 10:47 AM
IPTABLES PORT TRANSLATION / REDIRECT to a different address daveginorge Linux - Newbie 2 05-07-2010 01:59 PM
Need help implementing Port Address Translation with iptables Ashmatash Linux - Networking 4 02-04-2010 10:11 PM
Test if port address translation is working dales79 Linux - Security 1 01-17-2006 07:01 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration