Annoying static DNAT problem
Hi! I'm trying to get a simple static DNAT mapping working and I can't seem to make it work. In my case, eth1 is the external internet and eth4 is a DMZ (10.0.0.0/24). The machine I'm trying to NAT is 10.0.0.2.
eth1:3 is aliased to 1.2.3.4 eth4 is 10.0.0.1 I'm trying to do this: Code:
iptables -t nat -A PREROUTING -j DNAT -i eth1 -d 1.2.3.4 --to-destination 10.0.0.2 I know it's possible to set LOG targets in iptables, but I'm not sure how to do that. So if anyone's thinking of suggesting that, please include a short example. This is all under a custom-compiled Linux 2.4.27 kernel on a RedHat 9 system, by the way. |
hi,
what's your default FORWARD policy? If it's DROP, you will need to explicitly set a rule to forward between the interfaces/subnets. Also, make sure your forwarding flag has been set true in /proc/sys/net/ipv4/ip_forward (depends on your kernel tho). Make sure you have an INPUT rule on eth1 to allow inbound connections on the required port too. and don't forget the SNAT/MASQ rule on eth1 for your return packets ;) if you're handy with tcpdump, you shouldn't need to add a logging policy unless you get really stuck. If you do get stuck, however, here's an example which includes some tidy logging functionality. hope it helps... |
Thanks for the reply! This machine is already routing packets just fine, it's just this one static NAT issue that I can't seem to resolve. The default forward policy is ACCEPT. There are no filters on eth1 that would cause it to drop packets. In fact, if I simply assign 1.2.3.4 as an alias on eth1 I am able to connect to the services (SSH, for example) running locally on the router. When I try the DNAT, though, tcpdump shows me that the packets are arriving on eth1 but are never departing on eth4. So even if I didn't have another DNAT rule on eth1 for the return packets I would still be seeing SOME sort of activity on eth4, but I'm not. The only thing I can conclude is that the packets are being dropped somewhere in the kernel's iptables code but I can't figure out where or why. Any ideas?
|
Change the -i interface to eth1:3
|
iptables won't allow you to apply rules to aliased interfaces.
pestie, did you have a chance to setup any logging on your rules to make sure the packets are even hitting the filter, and not being dropped by the kernel for some crazy reason? |
All times are GMT -5. The time now is 01:00 AM. |