How to do NAT in Iptables? ..(IP Public to Internal IP)
How to do NAT in Iptables? ..
I am trying to NAT IP public:Port to Internal IP:Port (202.a.b.c SMTP to 172.16.1.169 SMTP) .. could any body please help? thanks & regards Winanjaya |
Code:
-A PREROUTING -p udp -m udp --dport 161 -d 202.a.b.c -j DNAT --to-destination 172.16.1.169:161 |
Hi Troop, I tried like that but it doesnot work.. (I meant it still cannot be reached from internet)..
Do I need something in INPUT section? |
Actually, the command should be more like:
Code:
iptables -t nat -A PREROUTING -p TCP -i eth0 --dport 25 -d 202.a.b.c \ EDIT: Oh, don't forget to deal with the returning packets (which must have their IP set back to the public one): Code:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
Hi, thanks, it still not working, what I missed? what should I check?
please help thanks & regards |
btw .. I am using eth0 connected to internet router and eth1 to switch hub..
eth0 is on 202.a.b.e eth1 is on 172.16.1.1 |
Post the output of this command:
Code:
cat /proc/sys/net/ipv4/ip_forward |
the result is 1
any idea? |
Okay, what about the output of these:
Code:
iptables -nvL FORWARD Code:
iptables -nvL -t nat |
[root@firewall ~]# cat /proc/sys/net/ipv4/ip_forward
1 [root@firewall ~]# iptables -nvL FORWARD Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 [root@firewall ~]# iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 390 packets, 28481 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 202.a.b.c1 tcp dpt:25 to:172.16.1.69:25 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 202.a.b.c1 tcp dpt:110 to:172.16.1.69:110 Chain POSTROUTING (policy ACCEPT 13 packets, 1219 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 13 packets, 1219 bytes) pkts bytes target prot opt in out source destination |
You don't have a POSTROUTING rule.
|
what should I put there regarding to my NAT?
|
Code:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE |
still not working ;<( .. is it routing problem?
[root@firewall ~]# iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 390 packets, 28481 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 202.a.b.c1 tcp dpt:25 to:172.16.1.69:25 0 0 DNAT tcp -- eth0 * 0.0.0.0/0 202.a.b.c1 tcp dpt:110 to:172.16.1.69:110 Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination |
Can you post output of the next command, please:
iptables-save |
Quote:
If you want us to see if your routes look sane then you'll need to post the output of: Code:
/sbin/route -n |
[root@firewall ~]# iptables-save
# Generated by iptables-save v1.4.1.1 on Tue Mar 23 10:31:14 2010 *nat :PREROUTING ACCEPT [2260:205929] :POSTROUTING ACCEPT [153:11763] :OUTPUT ACCEPT [7:1606] -A PREROUTING -d 202.a.b.c1/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25 -A PREROUTING -d 202.a.b.c1/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:110 -A POSTROUTING -o eth0 -p tcp -m tcp -j MASQUERADE COMMIT # Completed on Tue Mar 23 10:31:14 2010 # Generated by iptables-save v1.4.1.1 on Tue Mar 23 10:31:14 2010 *mangle :PREROUTING ACCEPT [5449:1608049] :INPUT ACCEPT [1955:242813] :FORWARD ACCEPT [3202:1343717] :OUTPUT ACCEPT [273:69830] :POSTROUTING ACCEPT [3511:1424789] COMMIT # Completed on Tue Mar 23 10:31:14 2010 # Generated by iptables-save v1.4.1.1 on Tue Mar 23 10:31:14 2010 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [274:69870] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j ACCEPT COMMIT # Completed on Tue Mar 23 10:31:14 2010 [root@firewall ~]# |
Thanks, You have two completely the same conditions, but two different actions:
Code:
-A PREROUTING -d 202.a.b.c1/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25 |
yes, I knew it and had already updated it .. but same problem still occurs..
|
Ok.
Can you please, do "iptables-save", then cut what belongs to *nat and post it here please. Also, please post output of: "route -n" how win32sux was suggested. Also post output of: ifconfig -a Thanks |
*nat
:PREROUTING ACCEPT [225:20219] :POSTROUTING ACCEPT [5:640] :OUTPUT ACCEPT [5:640] -A PREROUTING -d 202.a.b.162/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25 -A PREROUTING -d 202.a.b.162/32 -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 172.16.1.69:110 [root@firewall ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 202.a.b.160 0.0.0.0 255.255.255.240 U 0 0 0 eth0 172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth1 169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth0 0.0.0.0 202.a.b.c1 0.0.0.0 UG 0 0 0 eth0 [root@firewall ~]# ifconfig -a eth0 Link encap:Ethernet HWaddr 00:60:08:58:57:AF inet addr:202.a.b.166 Bcast:202.a.b.175 Mask:255.255.255.240 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:4673 errors:0 dropped:0 overruns:0 frame:0 TX packets:9904 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4353254 (4.1 MiB) TX bytes:1790016 (1.7 MiB) Interrupt:17 Base address:0xa800 eth1 Link encap:Ethernet HWaddr 00:50:BA:62:04:0A inet addr:172.16.1.1 Bcast:172.16.1.255 Mask:255.255.255.0 inet6 addr: fe80::250:baff:fe62:40a/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:32061 errors:0 dropped:0 overruns:0 frame:0 TX packets:7171 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:6063844 (5.7 MiB) TX bytes:5144859 (4.9 MiB) Interrupt:19 Base address:0x8000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:31 errors:0 dropped:0 overruns:0 frame:0 TX packets:31 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2880 (2.8 KiB) TX bytes:2880 (2.8 KiB) pan0 Link encap:Ethernet HWaddr EE:E5:F1:F3:3D:93 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) sit0 Link encap:IPv6-in-IPv4 NOARP MTU:1480 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) |
Looks perfect.
How do you check if it works or not? |
I am trying to test port-forwarding for 202.a.b.162:25 and 202.a.b.162:110 using tool below:
http://www.yougetsignal.com/tools/open-ports/ also trying to retrieve my email from internet .. and failed. ;>( Does the routing table correct? |
Routing table is correct.
Lets check deeper. 1. Can you ping from internet 202.a.b.162? 2. Can you ping from 202.a.b.162 172.16.1.69? 3. As I understood on 172.16.1.69 there is mail server. Does 172.16.1.69 have any kind of filter or firewall? 4. Can you please, type in any console on 202.a.b.162: telnet 172.16.1.69 25. What output will be? |
1. Can you ping from internet 202.a.b.162?
A: No, but I able to ping to linux firewall (202.a.b.166) 2. Can you ping from 202.a.b.162 172.16.1.69? A: No 3. As I understood on 172.16.1.69 there is mail server. Does 172.16.1.69 have any kind of filter or firewall? A: No firewall (I turned it off) at 172.16.1.69 4. Can you please, type in any console on 202.a.b.162: telnet 172.16.1.69 25. What output will be? A: No |
NAT not working .. I am unable to ping the host from internet ;<(
|
1. Can you ping from linux firewall (202.a.b.166) 172.16.1.69?
2. Can you from console on linux firewall (202.a.b.166) do: telnet 172.16.1.69 25? Thanks |
1. Can you ping from linux firewall (202.a.b.166) 172.16.1.69?
A: Yes 2. Can you from console on linux firewall (202.a.b.166) do: telnet 172.16.1.69 25? A: Yes |
Please, change your iptables rules on linux firewall (202.a.b.166) to:
Code:
-A PREROUTING -d 202.a.b.166/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25 |
202.a.b.166/32 is this Linux firewall box?..
are you sure? 202.a.b.162/32 is mail server |
A PREROUTING -d 202.a.b.c1/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25
This is your first rule. Answer please, 1. What is 202.a.b.c1? 2. What is 172.16.1.69? |
ok.. let me clarify:
-A PREROUTING -d 202.a.b.162/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25 -A PREROUTING -d 202.a.b.162/32 -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 172.16.1.69:110 172.16.1.69 is the mail server |
Quote:
Can you please, be more definite. If your mail server IP is 172.16.1.69, and you can ping 202.a.b.166 from internet, then next rule should do what you want: A PREROUTING -d 202.a.b.166/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25 |
yes, I able to ping 202.a.b.166/32 from internet .. but that's the linux firewall (172.16.1.1)
but you suggest below: A PREROUTING -d 202.a.b.166/32 -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.16.1.69:25 could you please advise? why I should use 202.a.b.166/32 instead of 202.a.b.162/32 |
because I have 16 IPs from my ISP:
202.a.b.162 is want to be used for mail 202.a.b.163 is for ... bla bla 202.a.b.166 is for linux firewall on eth0 and eth1 is 172.16.1.1 or do I need to create 16 virtual NICs on linux firewall? any idea? |
As I understood, 202.a.b.166 is linux firewall interface reachable from internet. And linux box has only two interfaces - eth0 and eth1.
What is 202.a.b.162? |
What is 202.a.b.162?
A: this IP 202.a.b.162 is want to be IP port-forwarding to 172.16.1.69 for SMTP and POP3 service. or Do I need to create virtual IP of 202.a.b.162 in Linux-Firewall as Eth1:1 |
Linux box can do it.
Packets from internet will come to eth0=202.a.b.166, go through firewall, through router and go to second interface eth1=172.16.1.1, then to mail server=172.16.1.69 You do not need anything else |
yes, that also what I thought, Linux-firewall box on 202.a.b.166 receives package from internet, if incoming package destination is to IP 202.a.b.162 and destination port is 25 then it should be forwarded to 172.16.1.69:25 .. but it does not work ..this really make me confusing today :<(
|
I am suspecting the routing..
Eth0 is on 202.a.b.166 Eth1 is on 172.16.1.1 and the Internet Router is on 202.a.b.161 Do you have suggestion about routing for the above conditions? |
What makes you confusing is you do not understand that if packets from internet was addressed to 202.a.b.166, they will never go any farther because their destination address is 202.a.b.166. That is why you use iptables router - you manually resend them where you want.
That is happen because only 202.a.b.166 is reachable from internet and remote computer can address its packets only to 202.a.b.166, it does not know about anything else. |
Hi,
so the all packets will arrives on eth0 202.a.b.166 and go to eth2=172.16.1.1.. but how to make access-list for 202.a.b.162 should be forwarded to 172.16.1.169 for smtp and pop3? I am asking you this.. because I put dns record for smtp & pop3 @202.a.b.162 please advise thanks & regards |
Quote:
Can you ping 202.a.b.162 from internet? |
currently, I am using CISCO PIX, I am unable to ping 202.a.b.162 but I able to port-forwarding..
using Linux.. I am unable to ping 202.a.b.162 and I also unable to port-forwarding |
DNS record gives an IP address, which is used for connection from internet. If 202.a.b.166 is reachable from internet, you should put it in DNS. And then with Linux you will forward this connection to any internal IP and ports.
|
sorry, confused ;<(, could you please give me complete iptables for doing this? .. I will change all of my iptables
|
when internet user attempts to 202.a.b.162:25 ..then linux-firewall (eth0 202.a.b.166 & eth1 172.16.1.1) receives the package then forward it to 172.16.1.69:25
could you please send me the iptables config regarding to the above scenario? thanks a lot in advance Regards |
All times are GMT -5. The time now is 08:31 AM. |