LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-15-2004, 07:30 PM   #1
pshepperd
LQ Newbie
 
Registered: Aug 2003
Posts: 10

Rep: Reputation: 0
iptables DNAT


I am having major issues configuring DNAT with iptables....

Right now i have a pppoe interface with 5 static ips on it. I have 5 servers one of which is the firewall/router/pppoe/iptables box.

That server uses snat and forwarding to route the information coming from the other servers, which are behind the firewall.

SNAT is working just fine...as I can translate the private ips to one of the wan ips as i choose.....however I cannot go the other way.

For some reason I cannot even ping the wan ip that I have put a DNAT entry in for.

How do i configure DNAT?

Is there anything else i need to do?
Do i need to put all the wan ips on an interface ?

thanks for your help.
 
Old 05-22-2004, 04:56 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Re: iptables DNAT

Right now i have a pppoe interface with 5 static ips on it. I have 5 servers one of which is the firewall/router/pppoe/iptables box.
So do you have the router/firewall setup with 5 external IPs assigned as aliases, like pppoe0:1, pppoe0:2, etc? And you want to map each external IP to an internal server using DNAT?


For some reason I cannot even ping the wan ip that I have put a DNAT entry in for.
You can't ping the external IPs from where, a remote host or from inside the LAN?


How do i configure DNAT?
The standard method is to just add a DNAT rule to the PREROUTING chain that redirects the packet to the internal machine, then add a forwarding rule to allow packets to pass from the external interface to the internal one: So for example, say we wanted to route incoming http traffic that is coming into the routers external interface (pppoe0) to an internal web server (xxx.xxx.xxx.xxx) our DNAT rule would look something like this:

iptables -t nat -A PREROUTING -i pppoe0 -p tcp --dport 80 -j DNAT --to-destination xxx.xxx.xxx.xxx

the rule to forward the http traffic from the external interface (pppoe0) to the internal one (eth0) would look like this:

iptables -A FORWARD -i pppoe0 -o eth0 -p tcp --dport 80 -j ACCEPT

in most situations you have to add another forwarding rule to allow traffic back out, but if you have SNAT working, then it sounds like you have that already functioning.


Do i need to put all the wan ips on an interface ?
Not quite sure what you mean here. Maybe you should explain?

It also will probably help alot if you post your current firewall rules, so we can see what you are working with. Make sure to remove any identifiable (public) IP addresses first.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables DNAT problem eantoranz Linux - Networking 2 09-12-2006 02:00 PM
why does iptables DNAT fail? eantoranz Linux - Security 12 08-25-2006 02:11 PM
Iptables DNAT weirdness matta Linux - Networking 3 04-07-2004 04:11 AM
DNAT question (Iptables) wilsonmau Linux - Networking 1 06-06-2003 07:50 AM
iptables DNAT bentz Linux - Networking 15 05-19-2003 02:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:04 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration