port address tranlstion

cashton2k · 12-11-2005, 04:49 PM

ive been struggling with this for days, wondering if any one cud give me some help.

i need to apply port address translation (overloaded network address translation) to all traffic originating on my network and destined for the outside network and beyond - using iptables.

any ideas on a command?

cheers for any help

Capt_Caveman · 12-11-2005, 06:55 PM

Could you explain a bit more about what you'd like to do? Are you trying to do Port->Host mappings or load-balancing? Or did you mean NAT?

cashton2k · 12-12-2005, 09:36 AM

NAT i think, im really stuck - this is what i have at the moment

externalinterface="eth1"

externaladdress="`ifconfig $externalinterface | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

iptables -t nat -A PREROUTING -p tcp -i eth0 -d $externaladdress --dport 80 --sport 1024:65535 -j DNAT --to 172.24.15.0:8080

iptables -t nat -A PREROUTING -p tcp -i eth0 -d $externaladdress --dport 443 --sport 1024:65535 -j DNAT --to 172.24.15.0:8080

to me it seems like it shud work but i dunno lol

Capt_Caveman · 12-12-2005, 10:49 AM

That looks like it should work for the DNAT part. Do you have rules to handle the outgoing traffic (like SNAT or Masquerading)? Also do you have rules in the FORWARD chain to pass packets from the external to internal interfaces (and vice versa)? Did you enable packet forwarding in the kernel (echo "1" > /proc/sys/net/ipv4/ip_forward)?

cashton2k · 12-12-2005, 11:01 AM

Quote:

Originally Posted by Capt_Caveman

That looks like it should work for the DNAT part. Do you have rules to handle the outgoing traffic (like SNAT or Masquerading)? Also do you have rules in the FORWARD chain to pass packets from the external to internal interfaces (and vice versa)? Did you enable packet forwarding in the kernel (echo "1" > /proc/sys/net/ipv4/ip_forward)?

i havent enabled port forwarding ill try that now, i have snat rules but i think they are in the same condition as my dnat rules lol and i have the following for the FORWARD chain:

iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 172.24.15.1 --dport 443 -j ACCEPT

iptables -A FORWARD -p tcp -s 192.168.0.0/16 -d 172.24.15.1 --dport ! 80 -j DROP

cheers for the help, much appreciated

Darin · 12-12-2005, 01:19 PM

Quote:

Originally Posted by cashton2k

NAT i think, im really stuck - this is what i have at the moment

externalinterface="eth1"

externaladdress="`ifconfig $externalinterface | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

iptables -t nat -A PREROUTING -p tcp -i eth0 -d $externaladdress --dport 80 --sport 1024:65535 -j DNAT --to 172.24.15.0:8080

iptables -t nat -A PREROUTING -p tcp -i eth0 -d $externaladdress --dport 443 --sport 1024:65535 -j DNAT --to 172.24.15.0:8080

to me it seems like it shud work but i dunno lol

So your intent is to send all web (port 80 http and 443 https) requests to a proxy server?

Two things I noticed are that the NAT rules you set up seem too specific and you are forwarding to what appears to be a network address, rather than a specific host. Try something like:

Code:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to 172.24.15.5:8080

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 443 -j DNAT --to 172.24.15.5:8080

where 172.24.15.5 is the actual IP of the proxy server.