LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Annoying static DNAT problem (https://www.linuxquestions.org/questions/linux-networking-3/annoying-static-dnat-problem-278673/)

pestie 01-16-2005 09:42 PM
Annoying static DNAT problem
 
Hi! I'm trying to get a simple static DNAT mapping working and I can't seem to make it work. In my case, eth1 is the external internet and eth4 is a DMZ (10.0.0.0/24). The machine I'm trying to NAT is 10.0.0.2.

eth1:3 is aliased to 1.2.3.4
eth4 is 10.0.0.1

I'm trying to do this:

Code:
iptables -t nat -A PREROUTING -j DNAT -i eth1 -d 1.2.3.4 --to-destination 10.0.0.2
Now, I realize that eth1 has to answer ARP requests for 1.2.3.4 for this to work. I've tried using proxy arp and adding an alias with ifconfig. Neither one works. tcpdump shows packets arriving for 1.2.3.4 on eth1 but never leaving eth4 for 10.0.0.4. I double-checked that routes exist for 10.0.0.0/8 and that no iptables rules are dropping the packets. But it seems the DNAT just isn't working for some reason. I am able to talk to 10.0.0.2 from the internal network (on eth0, 192.168.1.0/24), so routing through this box is obviously working. Any ideas?

I know it's possible to set LOG targets in iptables, but I'm not sure how to do that. So if anyone's thinking of suggesting that, please include a short example.

This is all under a custom-compiled Linux 2.4.27 kernel on a RedHat 9 system, by the way.

angrybeaver 01-17-2005 12:03 AM
hi,

what's your default FORWARD policy? If it's DROP, you will need to explicitly set a rule to forward between the interfaces/subnets. Also, make sure your forwarding flag has been set true in /proc/sys/net/ipv4/ip_forward (depends on your kernel tho).

Make sure you have an INPUT rule on eth1 to allow inbound connections on the required port too.

and don't forget the SNAT/MASQ rule on eth1 for your return packets ;)

if you're handy with tcpdump, you shouldn't need to add a logging policy unless you get really stuck. If you do get stuck, however, here's an example which includes some tidy logging functionality.

hope it helps...

pestie 01-17-2005 02:57 PM
Thanks for the reply! This machine is already routing packets just fine, it's just this one static NAT issue that I can't seem to resolve. The default forward policy is ACCEPT. There are no filters on eth1 that would cause it to drop packets. In fact, if I simply assign 1.2.3.4 as an alias on eth1 I am able to connect to the services (SSH, for example) running locally on the router. When I try the DNAT, though, tcpdump shows me that the packets are arriving on eth1 but are never departing on eth4. So even if I didn't have another DNAT rule on eth1 for the return packets I would still be seeing SOME sort of activity on eth4, but I'm not. The only thing I can conclude is that the packets are being dropped somewhere in the kernel's iptables code but I can't figure out where or why. Any ideas?

peter_robb 01-18-2005 07:54 AM
Change the -i interface to eth1:3

angrybeaver 01-18-2005 04:32 PM
iptables won't allow you to apply rules to aliased interfaces.

pestie, did you have a chance to setup any logging on your rules to make sure the packets are even hitting the filter, and not being dropped by the kernel for some crazy reason?


All times are GMT -5. The time now is 01:00 AM.