LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   IPTABLES and port forwarding (http://www.linuxquestions.org/questions/linux-networking-3/iptables-and-port-forwarding-172673/)

freibuis 04-20-2004 07:51 PM

IPTABLES and port forwarding
 
atm I have
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 6.5.4.3 --dport 80 -j DNAT --to 192.168.0.1:80
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 6.5.4.3 --dport 25 -j DNAT --to 192.168.0.1:25
router ip address = 192.168.0.254
6.5.4.3 = External IP
(distro slackware)


in my firewall scripts.
works fine as a port forward .. but I have noticed that the port forward does not pass on the orginal IP address to these servers..

basicallly the mail server was alloud to relay for ip address 192.168.0.0/24
but since it does not pass on the orgianal IP address my mail server could relay every one (I have now excluded that ip from relay)

also with the web server the logs have the remote IP address as the router ip of 192.168.0.1

is there any way of port forwarding and leaving on the orignal IP address with IPtables ?
:scratch:

Capt_Caveman 04-20-2004 09:49 PM

The DNAT rule shouldn't do that by itself. I actually use pretty much the identical DNAT rule on one of my firewalls and just to be sure, I ran tcpdump to capture some packets and they all have the original source IP. Do you have any other NAT rules that might be the cause. Maybe like a misconfigured Masquerade or SNAT rule?

freibuis 04-20-2004 10:28 PM

/sbin/modprobe iptables_nat
/sbin/modprobe ipt_conntrack
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc


echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A FORWARD -i eht0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 6.5.4.3 --dport 25 -j DNAT --to 192.168.0.1:25
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 6.5.4.3 --dport 53 -j DNAT --to 192.168.0.1:53
iptables -t nat -A PREROUTING -p udp -i eth0 -d 6.5.4.3 --dport 53 -j DNAT --to 192.168.0.1:53
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 6.5.4.3 --dport 80 -j DNAT --to 192.168.0.1:80


I checked the logs of both web and mail server both only report a connection for the router.

Capt_Caveman 04-20-2004 10:33 PM

Looks like you are masquerading out the wrong interface:

iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE

try changing that to:

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

In your rule all packets going out eth1 (into the LAN) are given the IP of the router. What you want to have, is all packets going out eth0 (to the internet) to look like they have the routers IP.

freibuis 04-20-2004 10:59 PM

Capt_Caveman, you are right.. I dont know why I did not see that :)

the easiest answers are usually the best :)

for some reason I kept seeing the eth1 as the external even know I knew that the external was eth0 :)


no more :scratch: ..I feel like a :newbie: ..

Thumbs up Capt_Caveman for seeing that :)

Capt_Caveman 04-21-2004 09:06 PM

Capt_Caveman, you are right.. I dont know why I did not see that

Those kinds of mistakes happen to everyone, sooner or later :)


All times are GMT -5. The time now is 08:06 PM.