LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 04-20-2004, 08:51 PM   #1
freibuis
LQ Newbie
 
Registered: Apr 2004
Distribution: Slackware
Posts: 13

Rep: Reputation: 0
IPTABLES and port forwarding


atm I have
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 6.5.4.3 --dport 80 -j DNAT --to 192.168.0.1:80
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 6.5.4.3 --dport 25 -j DNAT --to 192.168.0.1:25
router ip address = 192.168.0.254
6.5.4.3 = External IP
(distro slackware)


in my firewall scripts.
works fine as a port forward .. but I have noticed that the port forward does not pass on the orginal IP address to these servers..

basicallly the mail server was alloud to relay for ip address 192.168.0.0/24
but since it does not pass on the orgianal IP address my mail server could relay every one (I have now excluded that ip from relay)

also with the web server the logs have the remote IP address as the router ip of 192.168.0.1

is there any way of port forwarding and leaving on the orignal IP address with IPtables ?
 
Old 04-20-2004, 10:49 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The DNAT rule shouldn't do that by itself. I actually use pretty much the identical DNAT rule on one of my firewalls and just to be sure, I ran tcpdump to capture some packets and they all have the original source IP. Do you have any other NAT rules that might be the cause. Maybe like a misconfigured Masquerade or SNAT rule?
 
Old 04-20-2004, 11:28 PM   #3
freibuis
LQ Newbie
 
Registered: Apr 2004
Distribution: Slackware
Posts: 13

Original Poster
Rep: Reputation: 0
/sbin/modprobe iptables_nat
/sbin/modprobe ipt_conntrack
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc


echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A FORWARD -i eht0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 6.5.4.3 --dport 25 -j DNAT --to 192.168.0.1:25
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 6.5.4.3 --dport 53 -j DNAT --to 192.168.0.1:53
iptables -t nat -A PREROUTING -p udp -i eth0 -d 6.5.4.3 --dport 53 -j DNAT --to 192.168.0.1:53
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 6.5.4.3 --dport 80 -j DNAT --to 192.168.0.1:80


I checked the logs of both web and mail server both only report a connection for the router.
 
Old 04-20-2004, 11:33 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Looks like you are masquerading out the wrong interface:

iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE

try changing that to:

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE

In your rule all packets going out eth1 (into the LAN) are given the IP of the router. What you want to have, is all packets going out eth0 (to the internet) to look like they have the routers IP.
 
Old 04-20-2004, 11:59 PM   #5
freibuis
LQ Newbie
 
Registered: Apr 2004
Distribution: Slackware
Posts: 13

Original Poster
Rep: Reputation: 0
Capt_Caveman, you are right.. I dont know why I did not see that

the easiest answers are usually the best

for some reason I kept seeing the eth1 as the external even know I knew that the external was eth0


no more ..I feel like a ..

Thumbs up Capt_Caveman for seeing that
 
Old 04-21-2004, 10:06 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Capt_Caveman, you are right.. I dont know why I did not see that

Those kinds of mistakes happen to everyone, sooner or later
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables port forwarding geoff3425 Slackware 13 12-20-2011 11:50 AM
IPCHAINS port forwarding and IPTABLES port forwarding ediestajr Linux - Networking 26 01-14-2007 08:35 PM
IPTables port forwarding.. NeoTech Linux - Networking 2 01-03-2005 12:27 PM
port forwarding with iptables David_99 Linux - Security 5 12-09-2003 09:37 PM
IPTABLES port forwarding sal_paradise42 Linux - Networking 5 10-25-2003 05:11 PM


All times are GMT -5. The time now is 02:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration