LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-28-2005, 10:25 AM   #1
phatboyz
Member
 
Registered: Feb 2004
Location: Mooresville NC
Distribution: CentOS 4,Free BSD,
Posts: 358

Rep: Reputation: 30
Iptables postrouting question


If I use this command,
iptables -t nat -A PREROUTING --dst 10.0.2.1/24 -p tcp --dport 8500 -j DNAT --to-destination 62.xxx.xxx.xxx:23

Will that route all traffice from IP range 10.0.2.1 on port 8500 to 62.xxx.xxx.xxx on port 23
 
Old 01-28-2005, 12:59 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Depends on what you mean by "ip range"..
If you use a single ip number and a netmask, it will convert the single number to the correct network number, then the whole subnet would be diverted by the rule as you describe.
So everything going to tcp port 8500 at the range 10.0.2.1 to 254 would be redirected to the external number port 23.
It's always a good practice to use interface names if possible to make sure the correct packets are being redirected.
 
Old 01-28-2005, 01:56 PM   #3
Chowroc
Member
 
Registered: Dec 2004
Posts: 145

Rep: Reputation: 15
Re: Iptables postrouting question

Quote:
Originally posted by phatboyz
If I use this command,
iptables -t nat -A PREROUTING --dst 10.0.2.1/24 -p tcp --dport 8500 -j DNAT --to-destination 62.xxx.xxx.xxx:23

Will that route all traffice from IP range 10.0.2.1 on port 8500 to 62.xxx.xxx.xxx on port 23
I think there is some problem of your command, I think it should be:
iptables -t nat -A PRESROUTING -d 62.xx.xx.xx -p tcp --dport 23 -j DNAT --to-destination 10.0.2.1:8500
to make: Internet --- (request) ---> Server_in_LAN

and:
iptables -t nat -A POSTROUTING -s 10.0.2.1 -p tcp --sport 8500 -j SNAT --to-source 62.xx.xx.xx:23
to make: Internet <--- (respond) --- Server_in_LAN

and:
iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -j SNAT
to make your LAN connect to Internet with NAT.
 
Old 01-28-2005, 04:09 PM   #4
Baco
LQ Newbie
 
Registered: May 2004
Location: Portugal
Distribution: Gentoo
Posts: 21

Rep: Reputation: 15
it's PREROUTING as u have write not PRESROUTING...I think
 
Old 01-28-2005, 05:11 PM   #5
phatboyz
Member
 
Registered: Feb 2004
Location: Mooresville NC
Distribution: CentOS 4,Free BSD,
Posts: 358

Original Poster
Rep: Reputation: 30
Basically this is question that I has asked before when we have problems with external addresses change. (Cisco VPN pix 501) When a route drops it causes all sorts of problems for the clients. I can allways get my link back up as I can log everyone off the connection and then change the config in the pix and then boot it back up. This doens't work when I am in the US and then I have a site in the UK that need to be rebooted. I can not do that untill certain hours. The work around is to have the down site connect to me as I can get the route back up. If I have them connect to the nix sever and then have it redirect back across the VPN to the AS400 server. The first problem was the AS400 uses port 23. (SSH) So I am going to have it inniate the connection on a nonstandard port and then redirect to 23. I have no clue as to what I really need to do so if someone can give me good examples to go by I would like that.
 
Old 01-29-2005, 03:48 AM   #6
ugge
Senior Member
 
Registered: Dec 2000
Location: Gothenburg, SWEDEN
Distribution: OpenSUSE 10.3
Posts: 1,028

Rep: Reputation: 45
Chowroc: There are no need to set up both SNAT and DNAT for this. Both SNAT and DNAT are self sufficient for their respective uses.

DNAT is for port forwarding
SNAT is for masquerading/NAT
 
Old 01-29-2005, 11:25 AM   #7
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
What you've suggested for an iptables rule works ok..

But if the real problem is flakey routes, you'd be better to use dns to supply a different route. (Assuming of course clients are connecting by url rather than ip number)
If you set the default TTL of your dns servers to say 10 mins, you can refresh the ip numbers for an outage..

You would need dns servers close to your clients to make sure there is less delay..
 
Old 01-31-2005, 09:31 AM   #8
phatboyz
Member
 
Registered: Feb 2004
Location: Mooresville NC
Distribution: CentOS 4,Free BSD,
Posts: 358

Original Poster
Rep: Reputation: 30
We use Ip numbers and the host file. We do not have a internal DNS server.

Also this is all internal there is not routing across the internet. We have a VPN so I have 7 sites that I can browse with IP ranges. The nix box wont know its comming from a differen't ip range cause of the pix doing NAT. I just need to have all connections that come into eth0 on port 8500 be reditected to 23 on another ip address.

I am lost now.

Last edited by phatboyz; 01-31-2005 at 09:35 AM.
 
Old 01-31-2005, 02:58 PM   #9
Baco
LQ Newbie
 
Registered: May 2004
Location: Portugal
Distribution: Gentoo
Posts: 21

Rep: Reputation: 15
I hope this will help.
I only started using IP tables a few days ago. I have 2 machines, one running linux another windows server 2003, which was till a few days ago doing the NAT. Now its the linux machine doing it and I made a script for the NAT and a few other things. Among those I added a line to the script to redirect any connection recieved on ports 10000:10009 to the windows machine ( those r the ports that I have configured to my torrent client use ). To do that I have added the line:
Code:
iptables -A INPUT -p tcp --destination-port 10000:10009 -m state --state NEW,ESTABLISHED -j ACCEPT;

iptables -t nat -A PREROUTING -i eth0 -p tcp --destination-port 10000:10009 -j DNAT --to 192.168.0.2;
The first line allow the linux machine to accept connection on those ports the second line redirect those connections to the windows machine...I think
Anyway it worked.
I'm not sure if it was something like this that u wanted tho I hope it was

[EDIT]eth0 is the interface connected to internet eth1 the interface with the local network, linux local network IP = 192.168.0.1 and windows machine IP = 192.168.0.2, I'm using masquerade since I have dynamic IP[/EDIT]

Last edited by Baco; 01-31-2005 at 03:04 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
mark set on PREROUTING stays until POSTROUTING? eantoranz Linux - Networking 3 07-26-2005 06:50 PM
iptables question smirn0ff Linux - Security 5 04-13-2005 04:03 AM
POSTROUTING just stopped? ryedunn Linux - Networking 9 01-10-2005 10:49 PM
kmyfirewall & dynamic IP for POSTROUTING SNAT mpw Linux - Software 0 05-05-2004 08:12 AM
iptables POSTROUTING doesn't match local-process replies. bentz Linux - Networking 3 03-10-2004 07:34 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration