why does iptables DNAT fail?

eantoranz · 09-03-2004, 07:54 AM

Hello, guys!

I have an issue with iptables right now.

I want my box to forward packets comming into it (no matter the destination) sent to smtp to a given host.

I think that would be:

Code:

iptables -t nat -A PREROUTING -t tcp --dport  smtp -j DNAT --to-destination anotherhost

Correct me if I'm wrong but with that line I'm telling iptables to change the packet's destination IP adress even before the linux box considers routing and then it would forward the packets, right?

The other thing I did was:
echo "1" > /proc/sys/net/ipv4/ip_forward

but after doing this two things, the trick doesn't work. What's wrong?

ppuru · 09-03-2004, 12:21 PM

Quote:

iptables -t nat -A PREROUTING -t tcp --dport smtp -j DNAT --to-destination anotherhost

it should be -p tcp instead of -t tcp

hope you have the FORWARD rules too.

eantoranz · 09-03-2004, 02:48 PM

Oh, man... that's not the problem. I wrote it -p tcp... just mispelled when I posted here.

I just read that NOT SNATing after DNATing can be a problem depening on the circumstances... could that be the problem?

linuxboy69 · 09-03-2004, 04:51 PM

I port forward on my firewall as well and this is what I have, hope it works

try this:

iptables -A PREROUTING -t nat -p tcp -s <anywhere> -d <ip address on router/firewall> --dport <port you are forwarding to> -j DNAT --to-destination <ip you are forwarding to>:<port you are forwarding to>

let me know if this works

mkirc · 08-17-2006, 12:17 AM

I face exactly the same problem !

I want to forward external requests to an internal http-server !
A nice fellow here told me that changing the port is not a good idea for http-requests, because it is stored redundant in the http-header, which is pretty weard in IMHO, but anyway I made sure that the port has not to be translated.

So I used exactly the statment you posted, but it seemd to me, nothing changed ?

I'd like to mention that SNAT and Firewalling works fine on that box......

eantoranz · 08-17-2006, 07:53 AM

Well.... the problem could be that the source address of the packets that you are DNATing aren't changed.... and when they reach the server that you wanted to forward them to, when the server wants to reply back, it sends them THROUGH another router that is not the linux box that DNATed the packets... and that's a problem, because they will have a different SOURCE (remember it's the server that's sending them) address of the address that they were intedted to in the first place.

Let's assume the packets were sent from A to B, but B is DNATing to C, C will get packets comming with source address A (if they are not SNATed by B). When he replies back, if instead of sending them to B, it uses another router... say D, packets will reach A with source address C, instead of B.... and that's the problem (at least the one I'm trying to describe). Hope it solves your doubt.

Cheers!

mkirc · 08-22-2006, 01:22 AM

Thanks for the reply, I think I got your point.
So I tried to SNAT these packets back, allthough iptables-doc and some postings here say this should not be required, anyway, I tested it, but it didn't work so far.

Wouldn't this what you are saying not be a general obstacle for DNAT ?

~=gr3p=~ · 08-22-2006, 03:44 AM

What does "route" output on your mailserver?

Did u do this on your mailserver??

Code:

route add default gw <ip address on router/firewall>

and on firewall do this:

Code:

iptables -t nat -A PREROUTING -i <External interface> -d <External interface IP adress> -p tcp --dport 25 -j DNAT --to-destination anotherhost_ip_address:25

iptables -I FORWARD -i <External interface> -o <Internal Interface> -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 25 -j ACCEPT

mkirc · 08-22-2006, 08:05 AM

Hi ~=gr3p=~ , thanks for response, the problem actually relies to port 80 (http) and not to smtp, but I suppose your advice is valid for
that as well?

mkirc · 08-23-2006, 02:21 AM

Hi, I followed your suggestion and did:
iptables -t nat -A PREROUTING -d <External interface IP adress> -p tcp --dport 8888 -j DNAT --to-destination anotherhost_ip_address:8888
iptables -I FORWARD -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 8888 -j ACCEPT

I omitted -o and -i option, because I want the DNAT also from internal Lan.
All other iptables rules deleted, but IP_forwarding activated.....

Unfortunately no success !

eantoranz · 08-23-2006, 10:34 AM

This kind of problems can get a bit tricky.

You have to get a number of things done.

Let's suppose (cause I haven't read the whole deal) that you want your "routing" host to appear like it's listening on port X and it will forward packets to an inner host address y.y.y.y on port Y. ok?

On the routing host you would need to have to do something like:

Code:

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A PREROUTING -d router's_public_ip -p tcp --dport X -j DNAT --to-destination y.y.y.y:Y

iptables -A FORWARD -d y.y.y.y -p tcp --dport Y -j ACCEPT

iptables -t nat -A POSTROUTING -d y.y.y.y -p tcp --dport Y -j SNAT router's_inner_IP

The last rule is not necessary if the router is the inner server's (the real one) router when the packets are traveling back.

Always that you be testing if it works remember to sniff on both hosts: the router (traffic reaching the server and traffic being forwarded to the server) and the server.... and check itables counters to see if the rules are being applied.... in my experience, it doesn't fail.

mkirc · 08-25-2006, 12:44 PM

Hello eonteranz !

Thanks a lot, it workes out now !
I used the two first statments you recommended, as the gateway is the internal default gateway !

Some postings said ( and I repeated this) that changing the port to from xxxx to 80 is not possible for http-servers, because port-number is written in http-header too. THIS IS WRONG !! I tried to change it from port 8888 to 80, and it worked out perfectly !!

So again: Thanks, you helped me very much !!

eantoranz · 08-25-2006, 01:11 PM

Cheers 2 that!