How to do NAT in Iptables? ..(IP Public to Internal IP)
 

How to do NAT in Iptables? ..
I am trying to NAT IP public:Port to Internal IP:Port (202.a.b.c SMTP to 172.16.1.169 SMTP) ..

could any body please help?

thanks & regards

Winanjaya

Hi Troop, I tried like that but it doesnot work.. (I meant it still cannot be reached from internet)..
Do I need something in INPUT section?

Actually, the command should be more like:And no, this wouldn't require anything be done to the INPUT chain. It would only require that IP forwarding be enabled, and that the packet gets sent to ACCEPT somewhere in the FORWARD chain. BTW, I'm moving this to Networking.

EDIT: Oh, don't forget to deal with the returning packets (which must have their IP set back to the public one):

Hi, thanks, it still not working, what I missed? what should I check?
please help
thanks & regards

btw .. I am using eth0 connected to internet router and eth1 to switch hub..

eth0 is on 202.a.b.e
eth1 is on 172.16.1.1

Post the output of this command:

the result is 1
any idea?

Okay, what about the output of these:

[root@firewall ~]# cat /proc/sys/net/ipv4/ip_forward
1


[root@firewall ~]# iptables -nvL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0


[root@firewall ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 390 packets, 28481 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 202.a.b.c1 tcp dpt:25 to:172.16.1.69:25
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 202.a.b.c1 tcp dpt:110 to:172.16.1.69:110


Chain POSTROUTING (policy ACCEPT 13 packets, 1219 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 13 packets, 1219 bytes)
pkts bytes target prot opt in out source destination

You don't have a POSTROUTING rule.

what should I put there regarding to my NAT?

still not working ;<( .. is it routing problem?

[root@firewall ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 390 packets, 28481 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 202.a.b.c1 tcp dpt:25 to:172.16.1.69:25
0 0 DNAT tcp -- eth0 * 0.0.0.0/0 202.a.b.c1 tcp dpt:110 to:172.16.1.69:110

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Can you post output of the next command, please:
iptables-save

How are you conducting your tests? The output you're posting says that no packets have hit those PREROUTING rules, so no point in going any further to troubleshoot for now. BTW, why'd you add a TCP match to the POSTROUTING rule? That would cause problems for ICMP packets in state RELATED.

If you want us to see if your routes look sane then you'll need to post the output of:

[root@firewall ~]# iptables-save
# Generated by iptables-save v1.4.1.1 on Tue Mar 23 10:31:14 2010
*nat
:PREROUTING ACCEPT [2260:205929]
:POSTROUTING ACCEPT [153:11763]
:OUTPUT ACCEPT [7:1606]
-A PREROUTING -d 202.a.b.c1/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25
-A PREROUTING -d 202.a.b.c1/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:110
-A POSTROUTING -o eth0 -p tcp -m tcp -j MASQUERADE
COMMIT
# Completed on Tue Mar 23 10:31:14 2010
# Generated by iptables-save v1.4.1.1 on Tue Mar 23 10:31:14 2010
*mangle
:PREROUTING ACCEPT [5449:1608049]
:INPUT ACCEPT [1955:242813]
:FORWARD ACCEPT [3202:1343717]
:OUTPUT ACCEPT [273:69830]
:POSTROUTING ACCEPT [3511:1424789]
COMMIT
# Completed on Tue Mar 23 10:31:14 2010
# Generated by iptables-save v1.4.1.1 on Tue Mar 23 10:31:14 2010
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [274:69870]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j ACCEPT
COMMIT
# Completed on Tue Mar 23 10:31:14 2010
[root@firewall ~]#

Thanks, You have two completely the same conditions, but two different actions:
What do you need, do you want to send packets to the port 25 or 110?

yes, I knew it and had already updated it .. but same problem still occurs..

Ok.
Can you please, do "iptables-save", then cut what belongs to *nat and post it here please.
Also, please post output of: "route -n" how win32sux was suggested.
Also post output of: ifconfig -a

Thanks

*nat
:PREROUTING ACCEPT [225:20219]
:POSTROUTING ACCEPT [5:640]
:OUTPUT ACCEPT [5:640]
-A PREROUTING -d 202.a.b.162/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25
-A PREROUTING -d 202.a.b.162/32 -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 172.16.1.69:110


[root@firewall ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
202.a.b.160 0.0.0.0 255.255.255.240 U 0 0 0 eth0
172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth0
0.0.0.0 202.a.b.c1 0.0.0.0 UG 0 0 0 eth0

[root@firewall ~]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:60:08:58:57:AF
inet addr:202.a.b.166 Bcast:202.a.b.175 Mask:255.255.255.240
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:4673 errors:0 dropped:0 overruns:0 frame:0
TX packets:9904 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4353254 (4.1 MiB) TX bytes:1790016 (1.7 MiB)
Interrupt:17 Base address:0xa800

eth1 Link encap:Ethernet HWaddr 00:50:BA:62:04:0A
inet addr:172.16.1.1 Bcast:172.16.1.255 Mask:255.255.255.0
inet6 addr: fe80::250:baff:fe62:40a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:32061 errors:0 dropped:0 overruns:0 frame:0
TX packets:7171 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6063844 (5.7 MiB) TX bytes:5144859 (4.9 MiB)
Interrupt:19 Base address:0x8000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:31 errors:0 dropped:0 overruns:0 frame:0
TX packets:31 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2880 (2.8 KiB) TX bytes:2880 (2.8 KiB)

pan0 Link encap:Ethernet HWaddr EE:E5:F1:F3:3D:93
BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

Looks perfect.
How do you check if it works or not?

I am trying to test port-forwarding for 202.a.b.162:25 and 202.a.b.162:110 using tool below:

http://www.yougetsignal.com/tools/open-ports/

also trying to retrieve my email from internet .. and failed.

;>(

Does the routing table correct?

Routing table is correct.
Lets check deeper.
1. Can you ping from internet 202.a.b.162?
2. Can you ping from 202.a.b.162 172.16.1.69?
3. As I understood on 172.16.1.69 there is mail server. Does 172.16.1.69 have any kind of filter or firewall?
4. Can you please, type in any console on 202.a.b.162: telnet 172.16.1.69 25. What output will be?

1. Can you ping from internet 202.a.b.162?
A: No, but I able to ping to linux firewall (202.a.b.166)

2. Can you ping from 202.a.b.162 172.16.1.69?
A: No

3. As I understood on 172.16.1.69 there is mail server. Does 172.16.1.69 have any kind of filter or firewall?
A: No firewall (I turned it off) at 172.16.1.69

4. Can you please, type in any console on 202.a.b.162: telnet 172.16.1.69 25. What output will be?
A: No

NAT not working .. I am unable to ping the host from internet ;<(

1. Can you ping from linux firewall (202.a.b.166) 172.16.1.69?
2. Can you from console on linux firewall (202.a.b.166) do: telnet 172.16.1.69 25?

Thanks

1. Can you ping from linux firewall (202.a.b.166) 172.16.1.69?
A: Yes
2. Can you from console on linux firewall (202.a.b.166) do: telnet 172.16.1.69 25?
A: Yes

Please, change your iptables rules on linux firewall (202.a.b.166) to:

202.a.b.166/32 is this Linux firewall box?..
are you sure?

202.a.b.162/32 is mail server

A PREROUTING -d 202.a.b.c1/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25

This is your first rule.
Answer please,
1. What is 202.a.b.c1?
2. What is 172.16.1.69?

ok.. let me clarify:

-A PREROUTING -d 202.a.b.162/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25
-A PREROUTING -d 202.a.b.162/32 -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 172.16.1.69:110

172.16.1.69 is the mail server

This is your post, here you said that: 202.a.b.162/32 is mail server.

Can you please, be more definite.
If your mail server IP is 172.16.1.69, and you can ping 202.a.b.166 from internet, then next rule should do what you want:


A PREROUTING -d 202.a.b.166/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25

yes, I able to ping 202.a.b.166/32 from internet .. but that's the linux firewall (172.16.1.1)

but you suggest below:
A PREROUTING -d 202.a.b.166/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25

could you please advise? why I should use 202.a.b.166/32 instead of 202.a.b.162/32

because I have 16 IPs from my ISP:

202.a.b.162 is want to be used for mail
202.a.b.163 is for ... bla bla
202.a.b.166 is for linux firewall on eth0 and eth1 is 172.16.1.1

or do I need to create 16 virtual NICs on linux firewall?

any idea?

As I understood, 202.a.b.166 is linux firewall interface reachable from internet. And linux box has only two interfaces - eth0 and eth1.

What is 202.a.b.162?

What is 202.a.b.162?
A: this IP 202.a.b.162 is want to be IP port-forwarding to 172.16.1.69 for SMTP and POP3 service.

or Do I need to create virtual IP of 202.a.b.162 in Linux-Firewall as Eth1:1

Linux box can do it.
Packets from internet will come to eth0=202.a.b.166, go through firewall, through router and go to second interface eth1=172.16.1.1, then to mail server=172.16.1.69

You do not need anything else

yes, that also what I thought, Linux-firewall box on 202.a.b.166 receives package from internet, if incoming package destination is to IP 202.a.b.162 and destination port is 25 then it should be forwarded to 172.16.1.69:25 .. but it does not work ..this really make me confusing today :<(

I am suspecting the routing..

Eth0 is on 202.a.b.166
Eth1 is on 172.16.1.1

and the Internet Router is on 202.a.b.161

Do you have suggestion about routing for the above conditions?

What makes you confusing is you do not understand that if packets from internet was addressed to 202.a.b.166, they will never go any farther because their destination address is 202.a.b.166. That is why you use iptables router - you manually resend them where you want.
That is happen because only 202.a.b.166 is reachable from internet and remote computer can address its packets only to 202.a.b.166, it does not know about anything else.

Hi,
so the all packets will arrives on eth0 202.a.b.166 and go to eth2=172.16.1.1..
but how to make access-list for

202.a.b.162 should be forwarded to 172.16.1.169 for smtp and pop3?

I am asking you this.. because I put dns record for smtp & pop3 @202.a.b.162

please advise

thanks & regards

If you put DNS record to IP=202.a.b.162 for your mail server, it means that mail client will attempt to connect to IP=202.a.b.162 and 202.a.b.162 should be reachable from internet. Is it?
Can you ping 202.a.b.162 from internet?

currently, I am using CISCO PIX, I am unable to ping 202.a.b.162 but I able to port-forwarding..
using Linux.. I am unable to ping 202.a.b.162 and I also unable to port-forwarding

DNS record gives an IP address, which is used for connection from internet. If 202.a.b.166 is reachable from internet, you should put it in DNS. And then with Linux you will forward this connection to any internal IP and ports.

sorry, confused ;<(, could you please give me complete iptables for doing this? .. I will change all of my iptables

when internet user attempts to 202.a.b.162:25 ..then linux-firewall (eth0 202.a.b.166 & eth1 172.16.1.1) receives the package then forward it to 172.16.1.69:25

could you please send me the iptables config regarding to the above scenario?

thanks a lot in advance

Regards