LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-16-2005, 09:42 PM   #1
pestie
LQ Newbie
 
Registered: Sep 2004
Posts: 13

Rep: Reputation: 0
Annoying static DNAT problem


Hi! I'm trying to get a simple static DNAT mapping working and I can't seem to make it work. In my case, eth1 is the external internet and eth4 is a DMZ (10.0.0.0/24). The machine I'm trying to NAT is 10.0.0.2.

eth1:3 is aliased to 1.2.3.4
eth4 is 10.0.0.1

I'm trying to do this:

Code:
iptables -t nat -A PREROUTING -j DNAT -i eth1 -d 1.2.3.4 --to-destination 10.0.0.2
Now, I realize that eth1 has to answer ARP requests for 1.2.3.4 for this to work. I've tried using proxy arp and adding an alias with ifconfig. Neither one works. tcpdump shows packets arriving for 1.2.3.4 on eth1 but never leaving eth4 for 10.0.0.4. I double-checked that routes exist for 10.0.0.0/8 and that no iptables rules are dropping the packets. But it seems the DNAT just isn't working for some reason. I am able to talk to 10.0.0.2 from the internal network (on eth0, 192.168.1.0/24), so routing through this box is obviously working. Any ideas?

I know it's possible to set LOG targets in iptables, but I'm not sure how to do that. So if anyone's thinking of suggesting that, please include a short example.

This is all under a custom-compiled Linux 2.4.27 kernel on a RedHat 9 system, by the way.
 
Old 01-17-2005, 12:03 AM   #2
angrybeaver
Member
 
Registered: Aug 2004
Location: .au
Distribution: debian, BSD
Posts: 104

Rep: Reputation: 17
hi,

what's your default FORWARD policy? If it's DROP, you will need to explicitly set a rule to forward between the interfaces/subnets. Also, make sure your forwarding flag has been set true in /proc/sys/net/ipv4/ip_forward (depends on your kernel tho).

Make sure you have an INPUT rule on eth1 to allow inbound connections on the required port too.

and don't forget the SNAT/MASQ rule on eth1 for your return packets

if you're handy with tcpdump, you shouldn't need to add a logging policy unless you get really stuck. If you do get stuck, however, here's an example which includes some tidy logging functionality.

hope it helps...
 
Old 01-17-2005, 02:57 PM   #3
pestie
LQ Newbie
 
Registered: Sep 2004
Posts: 13

Original Poster
Rep: Reputation: 0
Thanks for the reply! This machine is already routing packets just fine, it's just this one static NAT issue that I can't seem to resolve. The default forward policy is ACCEPT. There are no filters on eth1 that would cause it to drop packets. In fact, if I simply assign 1.2.3.4 as an alias on eth1 I am able to connect to the services (SSH, for example) running locally on the router. When I try the DNAT, though, tcpdump shows me that the packets are arriving on eth1 but are never departing on eth4. So even if I didn't have another DNAT rule on eth1 for the return packets I would still be seeing SOME sort of activity on eth4, but I'm not. The only thing I can conclude is that the packets are being dropped somewhere in the kernel's iptables code but I can't figure out where or why. Any ideas?
 
Old 01-18-2005, 07:54 AM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Change the -i interface to eth1:3
 
Old 01-18-2005, 04:32 PM   #5
angrybeaver
Member
 
Registered: Aug 2004
Location: .au
Distribution: debian, BSD
Posts: 104

Rep: Reputation: 17
iptables won't allow you to apply rules to aliased interfaces.

pestie, did you have a chance to setup any logging on your rules to make sure the packets are even hitting the filter, and not being dropped by the kernel for some crazy reason?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables DNAT problem eantoranz Linux - Networking 2 09-12-2006 01:00 PM
shorewall problem DNAT masand Linux - Networking 3 08-11-2005 11:53 AM
dnat problem jelgavchik Linux - Networking 0 01-20-2005 06:35 AM
problem about iptables DNAT. zufeng Linux - Security 3 06-19-2003 09:29 AM
DNAT and prerouting is my only problem closer8888 Linux - Networking 0 02-17-2003 10:46 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration