LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-30-2001, 02:03 AM   #1
phek
Member
 
Registered: Jul 2001
Location: California, US
Distribution: Slackware
Posts: 196

Rep: Reputation: 30
im goin F'n nuts!


ok, its now 11:00pm and i've been at work since 9:00am (with no lunch) working on getting a new router/firewall running (my first linux-based). I'm using iptables/masquerade and so far I'm able to connect going out of my lan but can't get any ip forwarding for incoming ports. All i need is to be able to forward incoming inet port 25, to my LAN 10.1.1.3 port 25. I've searched around and from what i can tell i'm just supposed to do,
iptables -t nat -A PREROUTING -d <internet_ip> --dport 25 -j DNAT --to 10.1.1.3:25
well, I've done that and it doesn't change anything (I don't even see it when i do a iptables -L). If it matters i'm using the rc.firewall.txt from http://people.unix-fu.org/andreasson/index.html on slakware 8 2.4.12.

K, i've finally decided to go home, so hopefully someone will of helped me out by morning.
 
Old 10-30-2001, 10:37 AM   #2
KevinJ
Member
 
Registered: Feb 2001
Location: Colorado Springs, CO
Distribution: Redhat v8.0 (soon to be Fedora? or maybe I will just go back to Slackware)
Posts: 857

Rep: Reputation: 30
Try

iptables -t nat -A PREROUTING -p tcp --dport 25 -i eth0 -j DNAT
--to 10.1.1.3:25

Assuming eth0 is the internet NIC, or you can change it to eth1
 
Old 10-30-2001, 01:18 PM   #3
phek
Member
 
Registered: Jul 2001
Location: California, US
Distribution: Slackware
Posts: 196

Original Poster
Rep: Reputation: 30
nope, that didn't work either, it doesn't give me any errors but just takes me to a new prompt and i don't see anything changed with iptables -L. I'm not sure if it matters but i don't have a PREROUTING or a DNAT chain (at least it doesn't come up with iptables -L) so could that be the problem?
 
Old 10-30-2001, 01:49 PM   #4
hommih
Member
 
Registered: Oct 2001
Location: Norway
Distribution: SuSE 7.0, Red Hat 7.2
Posts: 32

Rep: Reputation: 15
There was a great article about iptables in the september issue of Linux Journal, you could try to get it, or check out www.linuxjournal.com.

Not very familiare with iptables yet, but following the guidlines in the article mentioned above the following should do it:

iptables -t nat -A PREROUTING -d <internet-ip> -p tcp --dport 25 -j DNAT --to-destination 10.1.1.3:25

Above this you must of course have a statement that allow connections to port 25.

Don't know if this helps at all...

Hommi

Last edited by hommih; 10-30-2001 at 08:35 PM.
 
Old 10-30-2001, 01:55 PM   #5
phek
Member
 
Registered: Jul 2001
Location: California, US
Distribution: Slackware
Posts: 196

Original Poster
Rep: Reputation: 30
ok i was wrong about it not showing those chains. I did an iptables -t nat -L and they showed up along with the ones I've put in. Now i guess i just need to figure out how to allow connections to port 25.
 
Old 10-30-2001, 03:08 PM   #6
phek
Member
 
Registered: Jul 2001
Location: California, US
Distribution: Slackware
Posts: 196

Original Poster
Rep: Reputation: 30
ok well i've just realized if that normally my connection just times out, but if i do
iptables -A FORWARD -p TCP -i eth1 --dport 25 -m state --state NEW -j ACCEPT
it will actually not time out and itll get a connection refused which i'm assuming its just not forwarding to the right host now. Does that sound correct to anyone else?
 
Old 10-31-2001, 02:24 PM   #7
phek
Member
 
Registered: Jul 2001
Location: California, US
Distribution: Slackware
Posts: 196

Original Poster
Rep: Reputation: 30
Finally got it fixed and realized there was a command that i was missing so i'll list the 3 commands that forward which had me stumped, while im at it i'll list what each one does cause i don't think i've seen that posted here yet. O yah, eth0 is my LAN NIC and eth1 is my internet NIC.

iptables -t nat -A PREROUTING -i eth1 -p TCP -d <internet IP> --dport 25 -j DNAT --to 10.1.1.2:25
the -t nat says to look in the table nat, the -A PREROUTING says to add to the PREROUTING chain in nat table, the -i eth1 says to watch your internet NIC for incoming packets with TCP protocol (-p TCP) that is directed to your internet ip (-d <INET IP>) with the destination port 25 (--dport 25) and if something matches all this criteria jump to DNAT (-j DNAT) and change the packets destination IP to 10.1.1.25 and the destination port to 25 (--to 10.1.1.2:25). Now with the -j DNAT we jump to this:

iptables -A FORWARD -i eth1 -o eth0 -p TCP -d 10.1.1.2 --dport 25 -j ACCEPT
the -A FORWARD says to add this to the FORWARD chain in the default table 'filter' (since theres no -t, filter is the default table), and now anything incoming to eth1 (-i eth1) over TCP protocol (-p TCP) with the destination IP of 10.1.1.2 (remember we changed the destination ip in the previous command?)(-d 10.1.1.25) and destined for port 25 (--dport 25) will be accepted (-j ACCEPT) and output on eth0 (-o eth0).

Now this completes port forwarding to port 25, but you still need this next command for output.

iptables -t nat -A POSTROUTING -o eth0 -s 10.1.1.0/8 -j SNAT --to-source <INET IP>
in table nat (-t nat), add to the POSTROUTING chain (-A POSTROUTING) look for outgoing packets on eth0 with the source address of 10.1.1.0/8 (-s 10.1.1.0/8)(this needs some explaining which i'll explain below), jump to SNAT (-j SNAT) and change the source IP of the packet to your INET IP (--to-source <INET IP>). What this does is change the source IP so that when someone on the internet try's to reply to you they aren't trying to reply to your LAN IP address which would be invalid to them.

OK now for the 10.1.1.0/8. the /# just means to verify the first # bits of the ip, the first octet (10.) in this case is the first 8 bits, the first and second octet here (10.1.) is the first 16 bits. the first, second and third octects (10.1.1.) are the first 24 bits, and if you want to match the entire ip its the first 32 bits. Pretty simple huh?


Well I figured i'd post this to hopefully help someone out who runs into the problem though i know theres been a lot of posts out there about it, too many don't have answers our answers that arent all that usefull in your paticular case. Plus who knows, knowing myself i'll probally forget and have to refer back here.

Here are a couple sites i found that were usefull that i havent seen posted before:
http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html
this one has a lot of usefull links including the following one which is great for understanding the concept and how the predefined tables work:
http://www.knowplace.org/netfilter/

Last edited by phek; 06-13-2002 at 08:00 PM.
 
Old 10-31-2001, 02:34 PM   #8
KevinJ
Member
 
Registered: Feb 2001
Location: Colorado Springs, CO
Distribution: Redhat v8.0 (soon to be Fedora? or maybe I will just go back to Slackware)
Posts: 857

Rep: Reputation: 30
Phek,

Nice job. Your last post is going in my list of "Linux TIPS"



Kevin
 
Old 10-31-2001, 02:38 PM   #9
phek
Member
 
Registered: Jul 2001
Location: California, US
Distribution: Slackware
Posts: 196

Original Poster
Rep: Reputation: 30
hehe yah, i figured after 2 1/2 days of hell and no email for my office i should post something so that it doesn't happen again to me or anyone else :\
 
Old 10-31-2001, 06:44 PM   #10
phek
Member
 
Registered: Jul 2001
Location: California, US
Distribution: Slackware
Posts: 196

Original Poster
Rep: Reputation: 30
I just noticed a new problem, when i do a
iptables -t nat -A POSTROUTING -s 10.0.0.0/8 -j SNAT --to-source <INET IP>
that i cant get out from my 10.0.0.0 network, of course if i leave the source out so its just
iptables -t nat -A POSTROUTING -j SNAT --to-source <INET IP>
then it does work so, it's obviosly something wrong with the 10.0.0.0/8. The current ip address i'm trying from is 10.1.1.154, but it should only look for the first octet (10.) right?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
goin' nuts tryin to get apache to start lenlutz Red Hat 2 07-26-2005 12:53 PM
i think im goin to compile kernel 2.6 tombomb300 Linux - Newbie 5 01-26-2004 01:56 PM
AHH im goin crazy(windows xp related) youssefe2k Linux - Networking 2 01-21-2004 02:06 PM
problems goin online!!!! nariesg80 Linux - Networking 5 05-01-2003 06:49 PM
ipchains?? iptables? whats goin on? tarballedtux Linux - Networking 19 03-12-2002 01:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:00 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration